CVE-2025-26597

High

Published: 25 February 2025

Published

25 February 2025

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26597 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of identified software flaws, such as applying Red Hat patches for the buffer overflow in X.Org and Xwayland.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like ASLR, DEP, and stack canaries to block unauthorized code execution from buffer overflows in functions like XkbChangeTypesOfKey.

SI-10 Information Input Validation partial match

prevent

Requires validation of inputs to prevent improper operations like resizing key tables to zero groups that mismatch key actions sizes.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Buffer overflow and related memory corruption vulnerabilities (e.g., use-after-free, heap overflow) in Xwayland, as used in TigerVNC remote display system, enable remote code execution via exploitation of the remote service.

NVD Description

A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called…

with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.

Deeper analysisAI

CVE-2025-26597 is a buffer overflow vulnerability in X.Org and Xwayland. The flaw occurs in the XkbChangeTypesOfKey() function: when called with a group value of 0, it resizes the key symbols table to zero while leaving the key actions unchanged. A subsequent call with a non-zero group value then triggers a buffer overflow due to the mismatched size of the key actions table. This issue, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), received a CVSS v3.1 base score of 7.8.

The vulnerability can be exploited by a local attacker with low privileges (PR:L). It requires local access (AV:L) and low attack complexity (AC:L) with no user interaction (UI:N), allowing the attacker to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the affected system's scope (S:U). Successful exploitation could enable arbitrary code execution or system compromise from a low-privileged context.

Red Hat has addressed the vulnerability through multiple errata releases, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages for affected X.Org and Xwayland components in various Red Hat Enterprise Linux versions. Security practitioners should apply these patches promptly to mitigate the risk.

Details

CWE(s): CWE-119

Affected Products

tigervnc

all versions

x.org

x server

≤ 21.1.16

x.org

xwayland

≤ 24.1.6

redhat

enterprise linux

7.0, 8.0, 9.0

CVEs Like This One

CVE-2025-26594Same product: Redhat Enterprise Linux

CVE-2025-26600Same product: Redhat Enterprise Linux

CVE-2025-26599Same product: Redhat Enterprise Linux

CVE-2025-26596Same product: Redhat Enterprise Linux

CVE-2025-26601Same product: Redhat Enterprise Linux

CVE-2025-26598Same product: Redhat Enterprise Linux

CVE-2025-26595Same product: Redhat Enterprise Linux

CVE-2026-7068Shared CWE-119

CVE-2025-2521Shared CWE-119

CVE-2026-7069Shared CWE-119

References

https://access.redhat.com/errata/RHSA-2025:2500
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2502
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2861
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2862
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2865
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2866
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2873
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2874
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2875
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2879
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2880
Third Party Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:3976
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:7163
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:7165
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:7458
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-26597
Third Party Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2345255
Issue Tracking · secalert@redhat.com
https://lists.debian.org/debian-lts-announce/2025/02/msg00036.html
af854a3a-2127-422b-91ae-364da2661108