CVE-2025-26599: Xorg: xwayland: use of uninitialized pointer in compredirectwindow()
First published: Wed Feb 12 2025(Updated: )
An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Xorg-x11-server-xwayland | ||
| debian/xorg-server | <=2:1.20.11-1+deb11u13<=2:21.1.7-3+deb12u8<=2:21.1.15-3 | 2:1.20.11-1+deb11u15 2:21.1.7-3+deb12u9 2:21.1.16-1 |
| debian/xwayland | <=2:22.1.9-1<=2:24.1.5-1 | 2:24.1.6-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2345253
- https://access.redhat.com/security/cve/CVE-2025-26599
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26599
- https://nvd.nist.gov/vuln/detail/CVE-2025-26599
- https://launchpad.net/bugs/cve/CVE-2025-26599
- https://security-tracker.debian.org/tracker/CVE-2025-26599
- https://ubuntu.com/security/CVE-2025-26599
- https://lists.x.org/archives/xorg-announce/2025-February/003584.html
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84bef2569b4ba4be59323cf575d1798ba9be
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8bedb90b039dc0f70ae69daf047ff9598
Frequently Asked Questions
What is the severity of CVE-2025-26599?
CVE-2025-26599 is classified as a medium severity vulnerability due to the potential risk of uninitialized pointer access leading to application crashes.
How do I fix CVE-2025-26599?
To fix CVE-2025-26599, update to the latest version of Xwayland where the vulnerability is addressed.
What systems are affected by CVE-2025-26599?
CVE-2025-26599 affects X.Org and Xwayland installations across various Linux distributions.
What type of vulnerability is CVE-2025-26599?
CVE-2025-26599 is an access to an uninitialized pointer flaw that can lead to resource allocation failures.
Are there any known exploits for CVE-2025-26599?
As of now, there are no known active exploits for CVE-2025-26599, but it is recommended to apply patches as a precaution.
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2025-26599
- collector/nvd-api
- source/NVD
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/severity
- agent/first-publish-date
- agent/author
- agent/trending
- agent/source
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- vendor/x.org
- canonical/red hat xorg-x11-server-xwayland
- package-manager/debian