Cyber Resilience

CVE-2025-26598

High

Published: 25 February 2025

Published
25 February 2025
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26598 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26598 is an out-of-bounds write vulnerability in X.Org Server and Xwayland. The flaw occurs in the GetBarrierDevice() function, which searches for a pointer device by its device ID and is intended to return NULL if no match is found. Instead, the function returns the last element of the list when no matching device ID exists, potentially leading to out-of-bounds memory access. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling potential arbitrary code execution, data corruption, or system crashes through the out-of-bounds write.

Red Hat has issued multiple security errata addressing this issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages for affected Red Hat products incorporating fixes for the vulnerability.

EU & UK References

Vulnerability details

An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will…

more

return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Out-of-bounds write and related memory corruption vulnerabilities (use-after-free, buffer/heap overflows) in Xwayland, as patched in TigerVNC server, enable remote exploitation over VNC connections for arbitrary code execution.

CVEs Like This One

CVE-2025-26596Same product: Redhat Enterprise Linux
CVE-2025-26595Same product: Redhat Enterprise Linux
CVE-2025-26594Same product: Redhat Enterprise Linux
CVE-2025-26597Same product: Redhat Enterprise Linux
CVE-2025-26599Same product: Redhat Enterprise Linux
CVE-2025-26600Same product: Redhat Enterprise Linux
CVE-2025-26601Same product: Redhat Enterprise Linux
CVE-2024-43096Shared CWE-787
CVE-2025-1268Shared CWE-787
CVE-2025-20633Shared CWE-787

Affected Assets

tigervnc
tigervnc
all versions
x.org
x server
≤ 21.1.16
x.org
xwayland
≤ 24.1.6
redhat
enterprise linux
7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates identification, reporting, and correction of software flaws like the out-of-bounds write in X.Org Server's GetBarrierDevice function via timely patching.

prevent

Provides runtime memory protections such as non-executable memory and address space randomization to block exploitation of out-of-bounds writes in CVE-2025-26598.

detect

Facilitates discovery of vulnerabilities like CVE-2025-26598 through automated scanning, enabling proactive flaw remediation.

References