CVE-2025-26600
Published: 25 February 2025
Summary
CVE-2025-26600 is a high-severity Use After Free (CWE-416) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws like the use-after-free vulnerability in X.Org and Xwayland via patching.
Implements memory protection mechanisms such as address space layout randomization or data execution prevention to mitigate exploitation of the use-after-free condition.
Enables vulnerability scanning to identify the presence of CVE-2025-26600 in deployed X.Org and Xwayland components, prompting remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free and related memory corruption vulnerabilities (e.g., buffer overflows, OOB writes) in Xwayland, addressed in TigerVNC updates, occur during input/event processing (e.g., PlayReleasedEvents, Xkb functions), enabling remote code execution via crafted events from a malicious VNC client.
NVD Description
A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
Deeper analysisAI
CVE-2025-26600 is a use-after-free vulnerability (CWE-416) affecting X.Org and Xwayland. The flaw arises when a device is removed while still in a frozen state, causing events queued for that device to persist even after the device structure is freed. Subsequent replay of these events triggers the use-after-free condition. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system compromise within the affected X server context.
Red Hat has issued multiple errata addressing this issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide patched packages for vulnerable X.Org and Xwayland components on supported systems.
Details
- CWE(s)