Cyber Posture

CVE-2025-26596

High

Published: 25 February 2025

Published
25 February 2025
Modified
06 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26596 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the heap overflow by requiring timely remediation through vendor patches like Red Hat errata RHSA-2025:2500 for vulnerable X.Org and Xwayland versions.

SI-16 Memory Protection good match
prevent

Implements memory safeguards such as ASLR, DEP, and heap canaries to prevent exploitation of the heap-based buffer overflow even in unpatched systems.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables identification of systems running vulnerable X.Org or Xwayland versions through regular vulnerability scanning, facilitating prompt patching.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Heap overflow in Xwayland/X.Org keyboard handling (XkbWriteKeySyms), patched in TigerVNC, enables remote code execution via crafted input over VNC remote display protocol.

NVD Description

A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.

Deeper analysisAI

CVE-2025-26596 is a heap-based buffer overflow vulnerability (CWE-787) affecting X.Org and Xwayland. The flaw stems from a discrepancy in length computation between the XkbSizeKeySyms() and XkbWriteKeySyms() functions, which can lead to improper handling of data and a heap overflow. Published on 2025-02-25, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system crashes within the affected X server processes.

Red Hat has issued multiple errata to address the issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages with fixes for vulnerable X.Org and Xwayland versions in various Red Hat Enterprise Linux releases. Security practitioners should apply these patches promptly to mitigate exposure.

Details

CWE(s)
CWE-787

Affected Products

tigervnc
tigervnc
all versions
x.org
x server
≤ 21.1.16
x.org
xwayland
≤ 24.1.6
redhat
enterprise linux
7.0, 8.0, 9.0

CVEs Like This One

CVE-2025-26598Same product: Redhat Enterprise Linux
CVE-2025-26595Same product: Redhat Enterprise Linux
CVE-2025-26594Same product: Redhat Enterprise Linux
CVE-2025-26597Same product: Redhat Enterprise Linux
CVE-2025-26600Same product: Redhat Enterprise Linux
CVE-2025-26599Same product: Redhat Enterprise Linux
CVE-2025-26601Same product: Redhat Enterprise Linux
CVE-2025-1268Shared CWE-787
CVE-2026-7426Shared CWE-787
CVE-2025-14235Shared CWE-787

References