CVE-2025-26596
Published: 25 February 2025
Summary
CVE-2025-26596 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26596 is a heap-based buffer overflow vulnerability (CWE-787) affecting X.Org and Xwayland. The flaw stems from a discrepancy in length computation between the XkbSizeKeySyms() and XkbWriteKeySyms() functions, which can lead to improper handling of data and a heap overflow. Published on 2025-02-25, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system crashes within the affected X server processes.
Red Hat has issued multiple errata to address the issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages with fixes for vulnerable X.Org and Xwayland versions in various Red Hat Enterprise Linux releases. Security practitioners should apply these patches promptly to mitigate exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5403
Vulnerability details
A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow in Xwayland/X.Org keyboard handling (XkbWriteKeySyms), patched in TigerVNC, enables remote code execution via crafted input over VNC remote display protocol.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap overflow by requiring timely remediation through vendor patches like Red Hat errata RHSA-2025:2500 for vulnerable X.Org and Xwayland versions.
Implements memory safeguards such as ASLR, DEP, and heap canaries to prevent exploitation of the heap-based buffer overflow even in unpatched systems.
Enables identification of systems running vulnerable X.Org or Xwayland versions through regular vulnerability scanning, facilitating prompt patching.