HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50256Published Modified CNA redhat

CVE-2026-50256: Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in font alias resolution due to libxfont2 name length mismatch

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the X.Org X server and Xwayland, triggered during font alias resolution when a font alias name is between 257 and 1023 bytes long. The flaw is reachable locally by any low-privilege account without requiring victim interaction, because the X server copies the oversized alias target name into a 256-byte stack buffer without bounds checking. Successful exploitation crashes the X server or, where the server runs as root, enables privilege escalation to root. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-50256 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle the X.Org server or Xwayland packages.

Available
Triage

Triage is available with the CVSS v3.1 score of 7.8 (HIGH) applied to every matched image finding; per-environment compliance policy weighting can escalate or suppress the finding before it is routed to the appropriate team inbox inside each customer organization.

Available
Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment Red Hat or the upstream X.Org project ships a corrected package. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attack vector is local (AV:L), so the attacker needs an existing shell or process on the host rather than any network path to the service.

  • AuthenticationRequired

    A low-privilege local account is sufficient (PR:L); no elevated or administrative credentials are needed to trigger the overflow.

  • Victim interactionNot required

    No user interaction is required (UI:N); the attacker can trigger the overflow without involving any other user.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory-layout dependencies, or environmental preconditions beyond sending a crafted font alias name.

Blast Radius

  • Crashes the X server or Xwayland process, interrupting all graphical sessions on the host.
  • Where the X server runs as root, overwrites stack memory to redirect execution and gain root-level privileges on the system.
  • A root-level compromise allows reading any file on the host, including credential stores, private keys, and application secrets.
  • A root-level compromise allows modifying or deleting any file on the host, including system binaries and configuration.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50256 is active for all images containing affected X.Org server or Xwayland packages across Red Hat Enterprise Linux 6 through 10 base layers. Because no upstream fix has been published, HarborGuard monitors the Red Hat and upstream X.Org advisory sources on every ingest cycle; a patched-image rebuild will become available automatically the moment a corrected package is released, and customers with auto-remediation enabled will receive the rebuild, regression run, and an opened PR against affected workloads without manual intervention. In the interim, compensating controls worth considering include restricting local user access to hosts running the X server, disabling the X server's setuid-root bit where the deployment allows it (to limit the privilege escalation path to crash-only impact), and applying network or process-isolation policies to reduce the set of local accounts that can reach the X server socket.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Enterprise Linux 9
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References