CVE-2026-50263
published 2026-06-05CVE-2026-50263: A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window…
PriorityP426medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.14%
3.4th percentile
A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| the_x.org_foundation | xorg-x11-server | — | — |
| x.org | x_server | < 21.1.23 | 21.1.23 |
| x.org | xwayland | < 24.1.12 | 24.1.12 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
X.org X11 Server CreateSaverWindow use after free (Nessus ID 318747 / WID-SEC-2026-1774)
vuldb·2026-06-06·CVSS 5.5
CVE-2026-50263 [MEDIUM] X.org X11 Server CreateSaverWindow use after free (Nessus ID 318747 / WID-SEC-2026-1774)
A vulnerability was found in X.org X11 Server and classified as critical. Affected by this vulnerability is the function CreateSaverWindow. Such manipulation leads to use after free.
This vulnerability is listed as CVE-2026-50263. The attack must be carried out locally. There is no available exploit.
GHSA
A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow().
ghsa_unreviewed·2026-06-05
CVE-2026-50263 [MEDIUM] CWE-416 A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow().
A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
Red Hat
xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free information disclosure in CreateSaverWindow()
vendor_redhat·2026-06-02·CVSS 5.5
CVE-2026-50263 [MEDIUM] CWE-416 xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free information disclosure in CreateSaverWindow()
xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free information disclosure in CreateSaverWindow()
A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
Package: xorg-x11-server-Xwayland (Red Hat Enterprise Linux 10) - Affected
Package: xorg-x11-server (Red Hat Enterprise Linux 6) - Out of support scope
Package: xorg-x11-server (Red Hat Enterprise Linux 7) - Affected
Package: xorg-x11-server (Red Hat Enterprise Linux 8) - Affected
Package: xorg-x11-server-Xwayland (Red Hat Enterprise Linux 8) - Affected
Package: xorg-x11-server (Red Hat Enterprise Linux 9) - Affected
Package: xorg-x11-
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-50263 xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free information disclosure in CreateSaverWindow()
bugzilla·2026-06-05·CVSS 5.5
CVE-2026-50263 [MEDIUM] CVE-2026-50263 xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free information disclosure in CreateSaverWindow()
CVE-2026-50263 xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free information disclosure in CreateSaverWindow()
A client can trigger a use-after-free read after changing window attributes and forcing the screen saver in CreateSaverWindow(), leading to information disclosure.
Any X client that can connect to the server can trigger this issue.
Components affected: xorg-x11-server, xorg-x11-server-Xwayland
Versions affected: xorg-x11-server <= 21.1.22, xorg-x11-server-Xwayland <= 24.1.9
Fixed upstream in xorg-server-21.1.23 and xwayland-24.1.12.
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05
Reported via ZDI-CAN-30168 (Trend Micro Zero Day Initiative). Tracking: PSIRTSUPT-16950.
Rapid7
Patch Tuesday - June 2026
blogs_rapid7·2026-06-09·CVSS 7.8
CVE-2026-33825 [HIGH] Patch Tuesday - June 2026
Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for three. This is similar to last month’s Patch Tuesday, however several of last month’s vulnerabilities ended up on CISA KEV in the days following their publication. So far this month, Microsoft has provided patches to address 360 browser vulnerabilities, which is an order of magnitude more than has been typical in any given month over the past few years. As usual, browser vulns are not included in the Patch Tuesday count above. Indeed, the vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update G
https://access.redhat.com/errata/RHSA-2026:26562https://access.redhat.com/errata/RHSA-2026:26566https://access.redhat.com/errata/RHSA-2026:26590https://access.redhat.com/errata/RHSA-2026:26610https://access.redhat.com/errata/RHSA-2026:26709https://access.redhat.com/errata/RHSA-2026:28923https://access.redhat.com/errata/RHSA-2026:29844https://access.redhat.com/security/cve/CVE-2026-50263https://bugzilla.redhat.com/show_bug.cgi?id=2485388https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05https://lists.x.org/archives/xorg-announce/2026-June/003702.htmlhttps://redhat.atlassian.net/browse/PSIRTSUPT-16950
2026-06-05
Published