CVE-2026-50260: Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free in freecounter()

Synopsis

A use-after-free vulnerability exists in the X.Org X server and Xwayland, specifically in the FreeCounter() function. The flaw is reachable locally by a low-privileged user who sets up multiple SyncCounters on one client connection and destroys them via a second connection, triggering access to already-freed memory. Successful exploitation crashes the X server or, if the server runs as root, enables full privilege escalation on the host. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityNot required

  The attacker needs an existing shell or process on the host; no network path to the service is required.

• AuthenticationRequired

  Any low-privilege local account is sufficient to open the necessary client connections to the X server.

• Victim interactionNot required

  No victim interaction is needed; the attacker triggers the condition entirely through their own client connections.

• Attack complexityDetail

  The exploit is reliable and condition-free once local access exists, requiring no race conditions or special environmental factors beyond a running X server with SyncCounter support.

Blast Radius

• Crashes the X server, disrupting all graphical sessions and applications depending on it.
• If the X server runs as root (a common configuration on many Linux systems), the attacker gains root-level code execution on the host.
• With root access, the attacker reads any file on the host, including credentials, secrets, and application data stored on disk.
• With root access, the attacker modifies or deletes any file or configuration, including system binaries and container runtime components.