CVE-2026-50258: 
NixOS Analisi e mitigazione delle vulnerabilità

CVE-2026-50258 is a stack-based buffer overflow vulnerability in the X.Org X server and Xwayland, caused by an incomplete fix of CVE-2025-26597. The CheckKeyTypes() function fails to verify or clamp non-canonical key types to XkbMaxShiftLevel, allowing a local client to set excessive shift levels and trigger stack overflows. Affected versions include xorg-x11-server up to and including 21.1.22 and xorg-x11-server-Xwayland up to and including 24.1.9. It was published on June 5, 2026, and carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).

The root cause is classified as CWE-121 (Stack-based Buffer Overflow). The X server allocates multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups, but CheckKeyTypes() does not enforce an upper bound on shift levels for non-canonical key types. Any authenticated local X client can send a crafted request to change key types to shift levels exceeding XkbMaxShiftLevel, triggering up to three separate stack buffer overflows. This vulnerability is a bypass of the prior fix for CVE-2025-26597 and was reported via ZDI-CAN-30160 through the Trend Micro Zero Day Initiative (Red Hat Bugzilla, GitHub Advisory).

Successful exploitation can result in a denial of service (server crash) or, if the X server is running as root (a common configuration on older or traditional Linux setups), full privilege escalation to root-level code execution. The vulnerability affects confidentiality, integrity, and availability at a HIGH level. Any local user with the ability to connect to the X server — a broad set of users on multi-user systems — can trigger this condition (Red Hat Bugzilla, GitHub Advisory).

The upstream fixes are available in xorg-server 21.1.23 and xwayland 24.1.12; users should upgrade to these versions or later (Red Hat Bugzilla). The specific upstream patch is available at the freedesktop.org GitLab repository (GitLab Commit). As interim mitigations: restrict X server access to trusted local users only, and configure the X server to run without root privileges where possible to limit the impact of exploitation.

The vulnerability was noted in Rapid7's June 2026 Patch Tuesday roundup, indicating it received attention from the broader security community as part of that month's patching cycle (Rapid7 Blog). It also appeared in CVEWatch community discussions on Reddit and was mentioned on Mastodon by security researchers, reflecting moderate community interest given its local-only attack vector and the context of being an incomplete fix for a prior CVE.