How is CVE-2026-50259 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the service is required. Authentication (required): Any low-privilege local account is sufficient to send the malformed XKB SetMap request that triggers the overflow. Victim interaction (not-required): No user interaction is needed; the attacker sends the crafted request directly to the X server. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout assumptions are required.

What is the impact of CVE-2026-50259?

Crashes the X server, disrupting the graphical session and any applications running under it. When the X server runs as root (a common deployment on RHEL 6 and 7), overwrites stack memory to redirect execution and gain full root privileges on the host. With root access, reads all files on the system including stored credentials, private keys, and application secrets. With root access, modifies or destroys persisted data and installs persistent backdoors.

Back to search

HIGHCVE-2026-50259Published 2026-06-05Modified 2026-06-05CNA redhat

CVE-2026-50259: Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb setmap request via mapwidths indexing

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 7

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the X.Org X server and Xwayland. The flaw is reached locally by a low-privilege user: the XKB SetMap request handler declares a fixed-size 256-entry stack buffer indexed by a client-controlled value, and the bounds check is absent, allowing an out-of-bounds write. Successful exploitation crashes the X server or, when the X server runs as root, grants the attacker full root-level privilege escalation. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle X.Org or Xwayland. Any image layer containing an affected version of xorg-x11-server or xorg-x11-server-Xwayland is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting the finding against each environment's compliance policy to determine urgency. Routed findings land in the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the service is required.
AuthenticationRequired
Any low-privilege local account is sufficient to send the malformed XKB SetMap request that triggers the overflow.
Victim interactionNot required
No user interaction is needed; the attacker sends the crafted request directly to the X server.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout assumptions are required.

Blast Radius

Crashes the X server, disrupting the graphical session and any applications running under it.
When the X server runs as root (a common deployment on RHEL 6 and 7), overwrites stack memory to redirect execution and gain full root privileges on the host.
With root access, reads all files on the system including stored credentials, private keys, and application secrets.
With root access, modifies or destroys persisted data and installs persistent backdoors.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50259 is active across all connected registries and CI pipelines, with no configuration required. Because Red Hat has not yet published a fix version, HarborGuard monitors the advisory on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild at the fix version becomes available automatically. For customers with auto-remediation enabled, the pipeline will trigger a rebuild, run regression tests, and open a PR against every affected workload without manual intervention. While no patch is available, compensating controls worth applying include network-policy isolation to limit which workloads can reach X server sockets, restricting X server execution to non-root accounts where deployment allows, and using feature-flag or launch configuration options to disable XKB processing if the application does not require it.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified