CVE-2025-26599: 
NixOS vulnerability analysis and mitigation

An access to an uninitialized pointer vulnerability (CVE-2025-26599) was discovered in X.Org and Xwayland. The vulnerability was reported on February 12, 2025, and affects the window management functionality in these display server implementations (CVE Details, Red Hat CVE).

The vulnerability exists in the compRedirectWindow() function's error handling. Specifically, when compCheckRedirect() fails to allocate a backing pixmap, compRedirectWindow() returns a BadAlloc error without properly validating the window tree that was marked just before. This implementation flaw leaves the validated data partially initialized and results in the subsequent use of an uninitialized pointer (Red Hat Bugzilla).

The vulnerability has been assigned a CVSS 3.1 base score of 7.8 (High), with the following characteristics: Local attack vector, Low attack complexity, Low privileges required, No user interaction needed, Unchanged scope, and High impact on confidentiality, integrity, and availability (Ubuntu Security).

Multiple vendors have released patches to address this vulnerability. Ubuntu has released fixes across multiple versions of xorg-server and xwayland packages. Red Hat has addressed the issue in RHEL 8 and 9 through security updates RHSA-2025:2500 and RHSA-2025:2502. Debian has also provided fixed versions for affected packages (Ubuntu Security, Red Hat Errata).