====================================================================== X.Org Security Advisory: April 14, 2026
Issues in X.Org X server prior to 21.1.22 and Xwayland prior to 24.1.10 ====================================================================== Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.22 and xwayland-24.1.10. * CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap()If a "compat" buffer was previously truncated, there will be unused
space left in the buffer. The code in XkbSetCompatMap() will use that space, but fails to update the number of valid entries actually in the buffer. As a result, that can lead to buffer read overrun when processing a future request. Introduced in: Prior to X11R6.6 Xorg baseline Fixed in: xorg-server-21.1.22 and xwayland-24.1.10 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae17 Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative. * CVE-2026-34000: XKB Out-of-bounds Read in CheckSetGeom() Each key alias entry contains two key names (the alias and the real key name).The code in CheckSetGeom() does its bounds checking using only the
first name, allowing XkbAddGeomKeyAlias to read uninitialised memory. Introduced in: xorg-server-21.1.4 and xwayland-22.1.3 Fixed in: xorg-server-21.1.22 and xwayland-24.1.10 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative. * CVE-2026-34001: XSYNC Use-after-free in miSyncTriggerFence() When walking the list of fences to trigger, miSyncTriggerFence() may call TriggerFence() for the current trigger, which end up calling the function SyncAwaitTriggerFired(). SyncAwaitTriggerFired() frees the entire await resource, which removes all triggers from that await, including the next entries in the list of fences, leading to a use-after-free. Introduced in: xorg-server-1.9.0 Fixed in: xorg-server-21.1.22 and xwayland-24.1.10 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94b Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative. * CVE-2026-34002: XKB Out-of-bounds read in CheckModifierMap() CheckModifierMap() reads from the wire in a loop without verifying that the data remains within the bounds of the client request.As a result, the total number of keys could exceed the actual data
provided, causing a potential read of uninitialised memory. Introduced in: Prior to X11R6.6 Xorg baseline Fixed in: xorg-server-21.1.22 and xwayland-24.1.10 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1c Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative. * CVE-2026-34003: XKB Buffer overflow in CheckKeyTypes() The function CheckKeyTypes() will loop over the client's request but won't perform any additional bound checking to ensure that the data read remains within the request bounds.As a result, a specifically crafted request may cause CheckKeyTypes()
to read uninitialised memory past the request data. Introduced in: Prior to X11R6.6 Xorg baseline Fixed in: xorg-server-21.1.22 and xwayland-24.1.10 Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563f Found by: Jan-Niklas Sohn working with TrendAI Zero Day Initiative. ------------------------------------------------------------------------ X.Org thanks all of those who reported and fixed these issues, and those who helped with the review and release of this advisory and these fixes.
OpenPGP_0x14706DBE1E4B4540.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
