CVE-2026-50264: 
NixOS 취약성 분석 및 완화

CVE-2026-50264 is an out-of-bounds heap write vulnerability in the X.Org X server and Xwayland affecting the DRIGetBuffers/DRIGetBuffersWithFormat functions in the DRI2 extension. A local X client can trigger the flaw by requesting multiple DRI2BufferBackLeft attachments combined with one DRI2BufferFrontLeft, causing a heap write beyond the intended buffer boundary. Affected versions include X.Org X server up to and including 21.1.22 and Xwayland up to and including 24.1.9; fixed versions are xorg-server 21.1.23 and xwayland 24.1.12. The vulnerability was identified by Peter Hutterer of Red Hat and disclosed on June 5, 2026. It carries a CVSS v3.1 base score of 7.8 (High) (GitHub Advisory, Red Hat Bugzilla).

The root cause is an out-of-bounds write (CWE-787) in the DRI2 buffer allocation logic within DRIGetBuffers and DRIGetBuffersWithFormat. When a client requests an unexpected combination of buffer attachments — specifically multiple DRI2BufferBackLeft entries alongside a DRI2BufferFrontLeft — the server fails to properly bound-check the write operation, resulting in a heap buffer overflow. The attack vector is local: any unprivileged X client with the ability to connect to the X server can send the malformed DRI2 request without requiring elevated privileges or user interaction. The upstream fix is available as a single commit to the xorg/xserver repository (xorg commit, Red Hat Bugzilla).

Successful exploitation can result in a server crash (denial of service) or, if the X server is running as root (a common configuration on older or traditional Linux setups), full privilege escalation to root-level code execution. The confidentiality, integrity, and availability impacts are all rated High, meaning an attacker could read sensitive memory, corrupt data, or completely take over the affected system. In environments where the X server runs with elevated privileges, this vulnerability could serve as a stepping stone for broader system compromise or lateral movement (GitHub Advisory, Red Hat Bugzilla).

1. Gain local access: Obtain a low-privileged local user account on a system running a vulnerable X server (xorg-server ≤ 21.1.22 or Xwayland ≤ 24.1.9) with an active X session.
2. Connect to the X server: Use any X client library (e.g., Xlib or XCB) to establish a connection to the running X server, which is accessible to local users by default.
3. Craft malformed DRI2 request: Construct a DRI2GetBuffers or DRI2GetBuffersWithFormat request that specifies multiple DRI2BufferBackLeft attachment types along with one DRI2BufferFrontLeft attachment, exceeding the expected buffer allocation bounds.
4. Trigger heap overflow: Send the crafted request to the X server, causing an out-of-bounds write to the heap in the server process.
5. Achieve objective: Depending on the server configuration — if running as root — leverage the heap corruption to escalate privileges to root via controlled memory corruption techniques; otherwise, the server crashes, resulting in denial of service (Red Hat Bugzilla, xorg commit).

• Logs: Unexpected X server crash logs or core dumps in /var/log/Xorg.0.log or systemd journal entries showing the X server process terminating abnormally; repeated DRI2 protocol errors logged by the X server.
• Process: Unusual child processes spawned by the X server process (e.g., shells or network tools) if privilege escalation is achieved; X server process running as root with unexpected memory usage spikes.
• File System: Unexpected core dump files (e.g., core or Xorg.core) in the X server working directory or /tmp; new files or modified SUID binaries created by the X server's user account following a crash.

The upstream fixes are available in xorg-server 21.1.23 and xwayland 24.1.12; users should upgrade to these versions as the primary remediation (xorg commit, xorg-announce). Red Hat has issued security errata addressing this vulnerability for RHEL 8 (RHSA-2026:26562), RHEL 9 (RHSA-2026:26590 and RHSA-2026:26610), and Amazon Linux 2 (ALAS2-2026-3336) (Red Hat RHSA-26562, Red Hat RHSA-26590). As a workaround where patching is not immediately possible, consider running the X server without root privileges (using rootless Xorg or Wayland compositors) to limit the privilege escalation impact to a server crash only.

The vulnerability was identified internally by Peter Hutterer of Red Hat's security team and coordinated through Red Hat's PSIRT process (PSIRTSUPT-16950) before public disclosure (Red Hat Bugzilla). Red Hat moved quickly to issue patches for RHEL 8 and RHEL 9 within approximately two weeks of the CVE's publication. No notable independent researcher commentary or significant social media discussion has been observed beyond standard vulnerability tracking and aggregation sites.