HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50264Published Modified CNA redhat

CVE-2026-50264: Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: out-of-bounds heap write in dri2 drigetbuffers/drigetbufferswithformat

An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds heap write vulnerability exists in the X.Org X server and Xwayland, specifically in the DRI2 buffer handling functions DRIGetBuffers and DRIGetBuffersWithFormat. A local attacker with a low-privilege account can trigger the flaw by requesting multiple DRI2BufferBackLeft attachments alongside a DRI2BufferFrontLeft, causing a write past the end of a heap allocation. Successful exploitation crashes the X server or enables privilege escalation to root if the X server runs with root privileges. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-50264 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images containing the affected xorg-x11-server or xwayland packages.

Available
Triage

Triage is available with a CVSS v3.1 score of 7.8 (HIGH), weighted further by each customer org's compliance policy to prioritize workloads running the X server with elevated privileges; findings are routed automatically to the appropriate team inbox within each customer environment.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Red Hat or the upstream X.Org project ships a corrected package. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or local process on the host; no network access to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to open a connection to the X server and send the malformed DRI2 buffer request.

  • Victim interactionNot required

    No interaction from another user or process is needed; the attacker sends the request directly to the X server.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or specific memory layout prerequisites are documented for triggering the out-of-bounds write.

Blast Radius

  • The X server process crashes, disrupting all graphical sessions and any applications depending on the display.
  • If the X server runs as root (a common configuration on older RHEL versions), the attacker gains root-level code execution on the host.
  • An attacker with root access reads any file on the system, including stored credentials, secrets, and application data.
  • An attacker with root access modifies or deletes arbitrary files, including binaries and configuration, enabling persistent backdoor installation.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50264 as of publication, HarborGuard continuously re-checks the Red Hat and X.Org advisory sources on every ingest cycle, covering all affected RHEL versions (6 through 10) and Xwayland packages. In the interim, compensating controls can be applied at the image or deployment level: network-policy isolation to restrict which workloads can reach the affected host's local socket, dropping unnecessary X server privileges via security contexts or removing setuid bits where operationally feasible, and feature-flag gating of DRI2 acceleration in environments where hardware rendering is not required. For customers with auto-remediation enabled, a patched-image rebuild, regression test run, and PR opened against affected workloads will be triggered automatically the moment an upstream fix version is published, with median time from patch publication to merged PR for high-severity issues around 90 minutes in those environments.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Enterprise Linux 9
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References