CVE-2025-26598: Xorg: xwayland: out-of-bounds write in createpointerbarrierclient()
An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
Security readout for executives and security teams
Plain-English summary
This is a local memory-corruption flaw in X.Org/Xwayland-related server code. A logged-in local user could potentially crash or compromise a graphical server process. Business urgency is highest for Linux desktops, VDI, remote GUI, and systems where untrusted users can obtain shell or graphical-session access.
Executive priority
Treat as high priority where Linux graphical infrastructure is shared or remotely accessible. It is not documented as actively exploited in the supplied sources, but successful local exploitation could affect confidentiality, integrity, and availability of the graphical server context.
Technical view
GetBarrierDevice() may return the last list element instead of NULL when no pointer device ID matches. createpointerbarrierclient() can then reach out-of-bounds memory access. The source rates it CVSS 7.8, CWE-787, local attack vector, low complexity, low privileges, no user interaction, and high confidentiality, integrity, and availability impact.
Likely exposure
Affected exposure includes listed Red Hat Enterprise Linux 6 ELS, 7 ELS, 8, 9, 10, and related AUS/EUS/E4S/TUS/SAP streams running vulnerable xorg-x11-server, xorg-x11-server-Xwayland, or tigervnc packages. Debian LTS also published an advisory. Other distributions may need vendor confirmation.
Exploitation context
The provided bundle does not show CISA KEV listing or confirmed active exploitation. The CVSS vector indicates local exploitation by a low-privileged user without user interaction, so risk depends on local account access, shared workstations, remote GUI services, and multi-user Linux environments.
Researcher notes
Evidence supports a local out-of-bounds write in pointer barrier handling. The bundle gives affected Red Hat package streams and advisories, plus Debian LTS notice, but does not include exploit proof, patch diff details, or universal upstream/distribution coverage. Avoid assuming internet-remote exposure.
Mitigation direction
Apply relevant vendor security updates for affected Xorg, Xwayland, or TigerVNC packages.
Prioritize shared Linux hosts, VDI pools, jump boxes, and systems with untrusted local users.
Check Red Hat advisories for the exact product stream and package version.
Review Debian LTS guidance if managing Debian-based affected systems.
Restrict local shell and graphical-session access where patching is delayed.
Monitor vendor advisories for additional distributions or revised package status.
Validation and detection
Inventory installed xorg-x11-server, xorg-x11-server-Xwayland, and tigervnc package versions.
Map each host to the affected product streams listed in vendor advisories.
Confirm security errata installation through your package-management and vulnerability-scanning records.
Check for exposed VNC or remote GUI services on affected Linux hosts.
Validate that compensating access controls cover unpatched multi-user systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-787: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
2ADP providers
19Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-787 · source CWE mapping
Out-of-bounds Write
Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.