CVE-2025-26595

High

Published: 25 February 2025

Published

25 February 2025

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26595 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, directly addressing the buffer overflow in XkbVModMaskText() via vendor patches like Red Hat errata RHSA-2025:2500.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protections such as stack canaries, ASLR, and non-executable stacks that prevent exploitation of stack-based buffer overflows like CVE-2025-26595.

SI-10 Information Input Validation partial match

prevent

SI-10 requires validation of information inputs, including bounds checking on virtual modifier names copied into fixed buffers by XkbVModMaskText().

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The buffer overflow (CVE-2025-26595) and related memory corruption vulnerabilities (e.g., use-after-free, out-of-bounds write, heap overflow) in Xwayland, patched via TigerVNC updates, enable exploitation of the remote VNC service for potential remote code execution.

NVD Description

A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of…

the buffer and would copy the data regardless of the size.

Deeper analysisAI

CVE-2025-26595 is a buffer overflow vulnerability affecting X.Org and Xwayland. The flaw resides in the XkbVModMaskText() function, which allocates a fixed-sized buffer on the stack and copies names of virtual modifiers into it without bounds checking, regardless of the input size. This issue, published on 2025-02-25, is classified under CWE-121 (stack-based buffer overflow) and CWE-787 (out-of-bounds write), with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Local attackers with low privileges can exploit this vulnerability. Requiring only local access and low attack complexity with no user interaction, exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and denial of service through potential arbitrary code execution in the context of the affected process.

Red Hat has released multiple security errata to address CVE-2025-26595, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865. Security practitioners should review and apply these updates promptly to affected systems running vulnerable versions of X.Org or Xwayland.

Details

CWE(s): CWE-121 CWE-787

Affected Products

tigervnc

all versions

x.org

x server

≤ 21.1.16

x.org

xwayland

≤ 24.1.6

redhat

enterprise linux

7.0, 8.0, 9.0

CVEs Like This One

CVE-2025-26598Same product: Redhat Enterprise Linux

CVE-2025-26596Same product: Redhat Enterprise Linux

CVE-2025-26597Same product: Redhat Enterprise Linux

CVE-2025-26594Same product: Redhat Enterprise Linux

CVE-2025-26599Same product: Redhat Enterprise Linux

CVE-2025-26601Same product: Redhat Enterprise Linux

CVE-2025-26600Same product: Redhat Enterprise Linux

CVE-2025-30472Shared CWE-121, CWE-787

CVE-2026-3972Shared CWE-121, CWE-787

CVE-2025-1268Shared CWE-787

References

https://access.redhat.com/errata/RHSA-2025:2500
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2502
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2861
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2862
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2865
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2866
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2873
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2874
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2875
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2879
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2880
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:3976
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:7163
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:7165
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:7458
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-26595
Third Party Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2345257
Issue Tracking · secalert@redhat.com
https://lists.debian.org/debian-lts-announce/2025/02/msg00036.html
af854a3a-2127-422b-91ae-364da2661108