CVE-2026-50262: 
NixOS 취약성 분석 및 완화

CVE-2026-50262 is an out-of-bounds read (and conditional write) vulnerability in the X.Org X server and Xwayland, specifically within the __glXDisp_ChangeDrawableAttributes() function in the GLX extension handler. A wrong size validation check allows a client-controlled number of bytes to be read beyond the request buffer, leading to information disclosure; a write path also exists but requires byte-swapped clients, which is disabled by default. Affected versions include X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12, with Red Hat Enterprise Linux 7, 8, 9, and 10 also listed as affected platforms. The vulnerability was published on June 5, 2026, and carries a CVSS v3.1 base score of 5.5 (Medium) (GitHub Advisory, Red Hat Bugzilla).

The root cause is classified as CWE-125 (Out-of-bounds Read): the __glXDisp_ChangeDrawableAttributes() function in the GLX request dispatcher performs an incorrect size validation, allowing a malicious X client to specify a client-controlled byte count that exceeds the actual request buffer boundary (GitHub Advisory). The read path is exploitable by any X client that can connect to the server, requiring only low privileges and no user interaction. A secondary write path exists in the same function but is gated behind byte-swapped client mode, which is disabled by default; if triggered, the write could crash the server or potentially enable privilege escalation if the X server runs as root (Red Hat Bugzilla). The fix was committed upstream at the freedesktop.org GitLab repository (commit 6d459e4) and announced via the xorg-announce mailing list (xorg commit). The vulnerability was originally reported through Trend Micro's Zero Day Initiative (ZDI-CAN-30165) (Red Hat Bugzilla).

The primary impact is high confidentiality loss: a low-privileged local user can read an attacker-controlled number of bytes from memory beyond the request buffer, potentially disclosing sensitive in-process data such as credentials, keys, or other memory contents (GitHub Advisory). There is no integrity or availability impact under the default configuration (CVSS I:N, A:N). However, if byte-swapped client mode were enabled, the write path could crash the X server or, in environments where the X server runs as root, potentially enable privilege escalation (Red Hat Bugzilla).

1. Reconnaissance: Identify systems running a vulnerable version of X.Org X server (≤ 21.1.22) or Xwayland (≤ 24.1.9) with local access available.
2. Establish X client connection: As a low-privileged local user, connect to the X server using any standard X client or a custom application capable of sending raw GLX protocol requests.
3. Craft malicious GLX request: Construct a ChangeDrawableAttributes GLX request with a manipulated size field that specifies a byte count larger than the actual request buffer, exploiting the missing or incorrect size validation in __glXDisp_ChangeDrawableAttributes().
4. Trigger out-of-bounds read: Send the crafted request to the X server; the server reads beyond the request buffer boundary, exposing adjacent memory contents.
5. Collect disclosed data: Capture the server's response or observe side-channel effects to extract sensitive memory data (e.g., credentials, keys, or other process memory) (Red Hat Bugzilla, GitHub Advisory).

• Logs: Unusual or repeated GLX ChangeDrawableAttributes requests in X server logs, particularly with anomalous or oversized attribute count fields; X server crash logs or core dumps (if write path is triggered).
• Process: Unexpected child processes or scripts spawned from the X server process; abnormal memory usage patterns in the Xorg or Xwayland process.
• Network/Local IPC: Unusual local socket connections to the X server from non-standard or unexpected client processes, especially those sending malformed GLX protocol messages.

Upgrade X.Org X server to version 21.1.23 or later, and Xwayland to version 24.1.12 or later, which contain the upstream fix (xorg commit, xorg announce). Red Hat has issued errata RHSA-2026:26562 (RHEL 8), RHSA-2026:26590 (RHEL 9), and RHSA-2026:26610 (RHEL 9) to address this issue (Red Hat Bugzilla). Amazon Linux 2 users should apply ALAS2-2026-3336. As a workaround where patching is not immediately possible, restrict local access to the X server and ensure byte-swapped client mode remains disabled (the default) to prevent the write path from being triggered.

The vulnerability appeared in the top 10 trending CVEs lists on Reddit's r/CVEWatch for both June 7 and June 8, 2026, indicating moderate community interest. Rapid7 included it in their June 2026 Patch Tuesday roundup, and Tenable published a detection plugin (Nessus #319842). No significant independent researcher commentary or vendor statements beyond Red Hat's errata and bugzilla tracking have been identified.