X.Org X Server vulnerabilities
89 known vulnerabilities affecting x.org/x_server.
Total CVEs
89
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL14HIGH49MEDIUM23LOW3
Vulnerabilities
Page 2 of 5
CVE-2017-12179P3CRITICALCVSS 9.8fixed in 1.19.52018-01-24
CVE-2017-12179 [CRITICAL] CWE-391 CVE-2017-12179: xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S)ProcXIBarrierReleasePointer f
xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S)ProcXIBarrierReleasePointer functions allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
nvd
CVE-2017-12177P3CRITICALCVSS 9.8fixed in 1.19.52018-01-24
CVE-2017-12177 [CRITICAL] CWE-391 CVE-2017-12177: xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function al
xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
nvd
CVE-2022-46342P3HIGHCVSS 8.8v1.20.42022-12-14
CVE-2022-46342 [HIGH] CWE-416 CVE-2022-46342: A vulnerability was found in X.Org. This security flaw occurs because the handler for the XvdiSelect
A vulnerability was found in X.Org. This security flaw occurs because the handler for the XvdiSelectVideoNotify request may write to memory after it has been freed. This issue can lead to local privileges elevation on systems where the X se
nvd
CVE-2026-50259P3HIGHCVSS 7.8fixed in 21.1.232026-06-05
CVE-2026-50259 [HIGH] CWE-121 CVE-2026-50259: A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks()
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege
nvd
CVE-2026-50256P3HIGHCVSS 7.8fixed in 21.1.232026-06-05
CVE-2026-50256 [HIGH] CWE-121 CVE-2026-50256: A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name betwe
nvd
CVE-2023-6377P3HIGHCVSS 7.8fixed in 21.1.102023-12-13
CVE-2023-6377 [HIGH] CWE-125 CVE-2023-6377: A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touch
A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.
nvd
CVE-2024-0229P3HIGHCVSS 7.8fixed in 21.1.112024-02-09
CVE-2024-0229 [HIGH] CWE-787 CVE-2024-0229: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when
An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
nvd
CVE-2026-50258P3HIGHCVSS 7.8fixed in 21.1.232026-06-05
CVE-2026-50258 [HIGH] CVE-2026-50258: A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has mu
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an inc
nvd
CVE-2026-50264P3HIGHCVSS 7.8fixed in 21.1.232026-06-05
CVE-2026-50264 [HIGH] CWE-787 CVE-2026-50264: An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuff
An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.
nvd
CVE-2007-6427P3CRITICALCVSS 9.3fixed in 1.4.12008-01-18
CVE-2007-6427 [CRITICAL] CVE-2007-6427: The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arb
The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
nvd
CVE-2022-2320P3HIGHCVSS 7.8v21.1.02022-09-01
CVE-2022-2320 [HIGH] CWE-787 CVE-2022-2320: A flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetD
A flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the
nvd
CVE-2026-50260P3HIGHCVSS 7.8fixed in 21.1.232026-06-05
CVE-2026-50260 [HIGH] CWE-416 CVE-2026-50260: A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that s
A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.
nvd
CVE-2026-50257P3HIGHCVSS 7.8fixed in 21.1.232026-06-05
CVE-2026-50257 [HIGH] CWE-416 CVE-2026-50257: A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client
A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This m
nvd
CVE-2026-50261P3HIGHCVSS 7.8fixed in 21.1.232026-06-05
CVE-2026-50261 [HIGH] CWE-416 CVE-2026-50261: A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client
A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.
nvd
CVE-2023-6478P3HIGHCVSS 7.5fixed in 21.1.102023-12-13
CVE-2023-6478 [HIGH] CWE-190 CVE-2023-6478: A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChange
A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.
nvd
CVE-2025-26595P3HIGHCVSS 7.8fixed in 21.1.162025-02-25
CVE-2025-26595 [HIGH] CWE-121 CVE-2025-26595: A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fi
A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
nvd
CVE-2025-26598P3HIGHCVSS 7.8fixed in 21.1.162025-02-25
CVE-2025-26598 [HIGH] CWE-787 CVE-2025-26598: An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searche
An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memo
nvd
CVE-2022-4283P3HIGHCVSS 7.8v1.20.42022-12-14
CVE-2022-4283 [HIGH] CWE-416 CVE-2022-4283: A vulnerability was found in X.Org. This security flaw occurs because the XkbCopyNames function left
A vulnerability was found in X.Org. This security flaw occurs because the XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh
nvd
CVE-2023-0494P3HIGHCVSS 7.8fixed in 21.1.72023-03-27
CVE-2023-0494 [HIGH] CWE-416 CVE-2023-0494: A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerCl
A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding s
nvd
CVE-2025-26597P3HIGHCVSS 7.8fixed in 21.1.162025-02-25
CVE-2025-26597 [HIGH] CWE-119 CVE-2025-26597: A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0
A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
nvd