CVE-2025-26601 — Use After Free in Xwayland

CWE-416 — Use After Free11 documents9 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 94.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

X.org Xorg-server X.org Xwayland X.org X Server +1 more

Timeline

PublishedFeb 25

Latest updateMar 17

Description

A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDx.org/xwayland< 24.1.6

▶Debianx.org/xwayland< 2:24.1.6-1+1

▶NVDx.org/x_server< 21.1.16

▶Debianx.org/xorg-server< 2:1.20.11-1+deb11u15+3

Also affects: Enterprise Linux 7.0, 8.0, 9.0

🔴Vulnerability Details

OSV

CVE-2025-26601: A use-after-free flaw was found in X↗2025-02-25

▶

GHSA

GHSA-gf8x-6jh7-3mjv: A use-after-free flaw was found in X↗2025-02-25

▶

CVEList

Xorg: xwayland: use-after-free in syncinittrigger()↗2025-02-25

▶

📋Vendor Advisories

Ubuntu

X.Org X Server regression↗2025-03-17

▶

Ubuntu

X.Org X Server vulnerabilities↗2025-03-10

▶

BSD

OpenBSD 7.5 Errata 018: SECURITY FIX↗2025-02-25

▶

Ubuntu

X.Org X Server vulnerabilities↗2025-02-25

▶

Red Hat

xorg: xwayland: Use-after-free in SyncInitTrigger()↗2025-02-25

▶