Cyber Resilience

CVE-2025-26596

High

Published: 25 February 2025

Published
25 February 2025
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26596 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26596 is a heap-based buffer overflow vulnerability (CWE-787) affecting X.Org and Xwayland. The flaw stems from a discrepancy in length computation between the XkbSizeKeySyms() and XkbWriteKeySyms() functions, which can lead to improper handling of data and a heap overflow. Published on 2025-02-25, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system crashes within the affected X server processes.

Red Hat has issued multiple errata to address the issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages with fixes for vulnerable X.Org and Xwayland versions in various Red Hat Enterprise Linux releases. Security practitioners should apply these patches promptly to mitigate exposure.

EU & UK References

Vulnerability details

A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Heap overflow in Xwayland/X.Org keyboard handling (XkbWriteKeySyms), patched in TigerVNC, enables remote code execution via crafted input over VNC remote display protocol.

CVEs Like This One

CVE-2025-26598Same product: Redhat Enterprise Linux
CVE-2025-26595Same product: Redhat Enterprise Linux
CVE-2025-26594Same product: Redhat Enterprise Linux
CVE-2025-26597Same product: Redhat Enterprise Linux
CVE-2025-26599Same product: Redhat Enterprise Linux
CVE-2025-26600Same product: Redhat Enterprise Linux
CVE-2025-26601Same product: Redhat Enterprise Linux
CVE-2024-43096Shared CWE-787
CVE-2025-1268Shared CWE-787
CVE-2025-20633Shared CWE-787

Affected Assets

tigervnc
tigervnc
all versions
x.org
x server
≤ 21.1.16
x.org
xwayland
≤ 24.1.6
redhat
enterprise linux
7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the heap overflow by requiring timely remediation through vendor patches like Red Hat errata RHSA-2025:2500 for vulnerable X.Org and Xwayland versions.

prevent

Implements memory safeguards such as ASLR, DEP, and heap canaries to prevent exploitation of the heap-based buffer overflow even in unpatched systems.

detect

Enables identification of systems running vulnerable X.Org or Xwayland versions through regular vulnerability scanning, facilitating prompt patching.

References