CVE-2025-26598
Published: 25 February 2025
Summary
CVE-2025-26598 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates identification, reporting, and correction of software flaws like the out-of-bounds write in X.Org Server's GetBarrierDevice function via timely patching.
Provides runtime memory protections such as non-executable memory and address space randomization to block exploitation of out-of-bounds writes in CVE-2025-26598.
Facilitates discovery of vulnerabilities like CVE-2025-26598 through automated scanning, enabling proactive flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write and related memory corruption vulnerabilities (use-after-free, buffer/heap overflows) in Xwayland, as patched in TigerVNC server, enable remote exploitation over VNC connections for arbitrary code execution.
NVD Description
An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will…
more
return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
Deeper analysisAI
CVE-2025-26598 is an out-of-bounds write vulnerability in X.Org Server and Xwayland. The flaw occurs in the GetBarrierDevice() function, which searches for a pointer device by its device ID and is intended to return NULL if no match is found. Instead, the function returns the last element of the list when no matching device ID exists, potentially leading to out-of-bounds memory access. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling potential arbitrary code execution, data corruption, or system crashes through the out-of-bounds write.
Red Hat has issued multiple security errata addressing this issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages for affected Red Hat products incorporating fixes for the vulnerability.
Details
- CWE(s)