CVE-2026-50259: 
NixOS Analisi e mitigazione delle vulnerabilità

CVE-2026-50259 is a stack-based buffer overflow vulnerability in the X.Org X server and Xwayland, affecting the _XkbSetMapChecks() function via client-controlled indexing of a fixed-size stack buffer. It was reported on June 5, 2026, via the Trend Micro Zero Day Initiative (ZDI-CAN-30161) and publicly disclosed the same day. Affected versions include xorg-x11-server ≤ 21.1.22 and xorg-x11-server-Xwayland ≤ 24.1.9, with fixes available in xorg-server 21.1.23 and xwayland 24.1.12. Red Hat Enterprise Linux versions 7, 8, 9, and 10 are also listed as affected platforms. The vulnerability carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).

The root cause is a stack-based buffer overflow (CWE-121) in the _XkbSetMapChecks() function within the X.Org X server's XKB (X Keyboard Extension) SetMap request handler. The function declares a fixed-size stack buffer mapWidths[256], indexed by key type index. The helper function CheckKeyTypes() writes to this buffer using a client-controlled offset without adequate bounds checking, allowing any connected X client to write beyond the buffer's boundaries. The attack vector is local (AV:L), requires low privileges (PR:L), and no user interaction, making it straightforward for any authenticated local user or X client with server access to trigger (Red Hat Bugzilla, GitHub Advisory). The upstream fix is available as commit 867b59b33bee669cb412f1314e47c52eacf6e00b in the xorg/xserver GitLab repository (GitLab Commit).

Successful exploitation can result in a denial of service (server crash) or, if the X server is running as root (a common configuration on older or embedded Linux systems), full privilege escalation to root. The vulnerability affects confidentiality, integrity, and availability at a high level, potentially allowing an attacker to execute arbitrary code in the context of the X server process. On systems where the X server runs with elevated privileges, this could lead to complete system compromise, including access to sensitive data and persistent backdoor installation (Red Hat Bugzilla, GitHub Advisory).

Upgrade to the fixed upstream versions: xorg-server 21.1.23 or xwayland 24.1.12, which contain the patch in commit 867b59b33bee669cb412f1314e47c52eacf6e00b (GitLab Commit, Red Hat Bugzilla). As a workaround, avoid running the X server as root where possible, and restrict X client connections to trusted users only (e.g., using xhost restrictions or socket permissions). Red Hat Enterprise Linux users should monitor Red Hat advisories for distribution-specific package updates (Red Hat CVE).

The vulnerability was covered in Rapid7's June 2026 Patch Tuesday blog post, indicating it was considered notable among security practitioners during that patch cycle (Rapid7 Blog). It appeared in the CVEWatch Reddit community's top trending CVEs for both June 7 and June 8, 2026, reflecting community interest. Social media mentions were observed on Bluesky and Mastodon, though no significant researcher commentary or vendor statements beyond the standard advisory have been identified.