CVE-2026-50258

NameCVE-2026-50258
DescriptionA stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138680, 1138703

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xorg-server (PTS)bullseye2:1.20.11-1+deb11u13vulnerable
bullseye (security)2:1.20.11-1+deb11u17vulnerable
bookworm2:21.1.7-3+deb12u12vulnerable
bookworm (security)2:21.1.7-3+deb12u11vulnerable
trixie2:21.1.16-1.3+deb13u2vulnerable
trixie (security)2:21.1.16-1.3+deb13u1vulnerable
forky, sid2:21.1.23-1fixed
xwayland (PTS)bookworm2:22.1.9-1vulnerable
trixie2:24.1.6-1vulnerable
forky, sid2:24.1.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xorg-serversource(unstable)2:21.1.23-11138680
xwaylandsource(unstable)2:24.1.12-11138703

Notes

[trixie] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
[bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
https://www.openwall.com/lists/oss-security/2026/06/02/1
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/543e108516428fc8c3bea91d6563ad266f9a801e
Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/eced7e74cad4a46c3a3c17b2df13b70b8bedfc25 (xorg-server-21.1.23)
Search for package or bug name: Reporting problems