How is CVE-2026-50258 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the service is required. Authentication (required): Any low-privilege local account is sufficient to send malicious XKB key-type change requests to the X server. Victim interaction (not-required): No action from another user or administrator is needed; the attacker can trigger the overflow unilaterally. Attack complexity (info): The exploit is reliable and condition-free once local access is obtained; no race condition or specific memory layout is required.

What is the impact of CVE-2026-50258?

Crashes the X server, disrupting all graphical sessions on the affected host. When the X server runs as root (a common configuration on older RHEL versions), the attacker gains full root-level code execution on the host. An attacker with elevated privileges can read sensitive files, credentials, or session tokens accessible to the root user. Persistence mechanisms or further lateral movement become available to the attacker following a successful privilege escalation.

Back to search

HIGHCVE-2026-50258Published 2026-06-05Modified 2026-06-05CNA redhat

CVE-2026-50258: Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb key types due to unchecked shift levels

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 7

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the X.Org X server and Xwayland, affecting all supported Red Hat Enterprise Linux versions. The flaw is reachable locally by any low-privilege account and requires no interaction from another user. Successful exploitation crashes the X server or, when the X server runs as root, grants full privilege escalation to the attacker. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the affected xorg-x11-server or xwayland packages. Any image in a customer registry or CI pipeline carrying a vulnerable version is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 HIGH using the published v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox inside each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as a fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once an upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
AuthenticationRequired
Any low-privilege local account is sufficient to send malicious XKB key-type change requests to the X server.
Victim interactionNot required
No action from another user or administrator is needed; the attacker can trigger the overflow unilaterally.
Attack complexityDetail
The exploit is reliable and condition-free once local access is obtained; no race condition or specific memory layout is required.

Blast Radius

Crashes the X server, disrupting all graphical sessions on the affected host.
When the X server runs as root (a common configuration on older RHEL versions), the attacker gains full root-level code execution on the host.
An attacker with elevated privileges can read sensitive files, credentials, or session tokens accessible to the root user.
Persistence mechanisms or further lateral movement become available to the attacker following a successful privilege escalation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50258 is active across all customer environments, flagging any image that ships a vulnerable xorg-x11-server or xwayland package on affected Red Hat Enterprise Linux versions. Because no upstream fix has been published, HarborGuard monitors the advisory on each ingest cycle and will surface a patched-image rebuild the moment Red Hat ships a corrected package. In the interim, compensating controls worth considering include restricting access to the X server socket via network policy or host-level access controls, running the X server as a non-root user where operationally feasible to eliminate the privilege-escalation path, and using feature-flag or session-configuration options to disable XKB key-type modification by untrusted clients. For customers with auto-remediation enabled, the rebuild and regression run will trigger automatically once the upstream fix is available, with a PR opened against affected workloads.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified