CVE-2025-26601: Xorg: xwayland: use-after-free in syncinittrigger()
First published: Wed Feb 12 2025(Updated: )
A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xorg-server | <=2:1.20.11-1+deb11u13<=2:21.1.7-3+deb12u8<=2:21.1.15-3 | 2:1.20.11-1+deb11u15 2:21.1.7-3+deb12u9 2:21.1.16-1 |
| debian/xwayland | <=2:22.1.9-1<=2:24.1.5-1 | 2:24.1.6-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2025-26601
- https://bugzilla.redhat.com/show_bug.cgi?id=2345251
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26601
- https://nvd.nist.gov/vuln/detail/CVE-2025-26601
- https://launchpad.net/bugs/cve/CVE-2025-26601
- https://security-tracker.debian.org/tracker/CVE-2025-26601
- https://ubuntu.com/security/CVE-2025-26601
- https://lists.x.org/archives/xorg-announce/2025-February/003584.html
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d0ffc7f45ed3c595ee7564b5c04287e0b
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f93a0c891494eb3334894442a92368030
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8817306af75a60f494ec9dbb1061e50db
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/c285798984c6bb99e454a33772cde23d394d3dcd
Frequently Asked Questions
What is the severity of CVE-2025-26601?
CVE-2025-26601 is rated as high severity due to the potential for exploitation of the use-after-free flaw.
How do I fix CVE-2025-26601?
To address CVE-2025-26601, update the xorg-server and xwayland packages to the latest versions provided in your distribution.
What software is affected by CVE-2025-26601?
CVE-2025-26601 affects the xorg-server and xwayland packages on Debian systems.
Can CVE-2025-26601 lead to arbitrary code execution?
Yes, the use-after-free flaw in CVE-2025-26601 could potentially allow an attacker to execute arbitrary code.
Is there a temporary workaround for CVE-2025-26601?
Currently, no specific temporary workaround for CVE-2025-26601 is recommended besides applying the software updates promptly.
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2025-26601
- collector/nvd-api
- source/NVD
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- agent/description
- agent/weakness
- agent/references
- agent/title
- agent/type
- agent/last-modified-date
- agent/severity
- agent/source
- agent/author
- agent/first-publish-date
- agent/softwarecombine
- agent/trending
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- package-manager/debian