CVE-2025-26594
Published: 25 February 2025
Summary
CVE-2025-26594 is a high-severity Use After Free (CWE-416) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the use-after-free flaw in X.Org and Xwayland through patching as detailed in vendor errata like RHSA-2025:2500.
Implements memory protection mechanisms that directly mitigate use-after-free vulnerabilities by preventing invalid memory references post-free.
Scans and monitors for known vulnerabilities like CVE-2025-26594 to identify affected X.Org and Xwayland components for prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-26594 and associated vulnerabilities (CVE-2025-26595 through CVE-2025-26601) in Xwayland, addressed in TigerVNC updates, are memory corruption flaws (use-after-free, buffer/heap overflows, out-of-bounds writes, uninitialized pointers) triggerable via X protocol handling. In the context of TigerVNC server (remote desktop service), these enable remote code execution by a malicious VNC client, facilitating Exploitation of Remote Services (T1210).
NVD Description
A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free.
Deeper analysisAI
CVE-2025-26594 is a use-after-free vulnerability (CWE-416) affecting X.Org and Xwayland. The flaw occurs because the root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference continues to point to freed memory, triggering a use-after-free condition. The vulnerability was published on 2025-02-25.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it through low-complexity means without requiring user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system crashes.
Red Hat has issued multiple errata addressing this issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865. Security practitioners should review these advisories for detailed patching instructions and mitigation guidance specific to affected Red Hat products.
Details
- CWE(s)