CVE-2025-26601
Published: 25 February 2025
Summary
CVE-2025-26601 is a high-severity Use After Free (CWE-416) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free flaw in X.Org and Xwayland through timely patching as provided by Red Hat security errata.
Implements memory protection controls such as ASLR and DEP to mitigate exploitation of the use-after-free vulnerability.
Monitors and scans for vulnerabilities like CVE-2025-26601 to identify affected components and trigger timely updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The use-after-free in Xwayland's SyncInitTrigger(), along with related memory corruption flaws (buffer overflows, out-of-bounds writes) patched in TigerVNC, enables remote code execution by exploiting vulnerabilities in the remote VNC display service handling X11 protocol extensions.
NVD Description
A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the…
more
changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
Deeper analysisAI
CVE-2025-26601 is a use-after-free vulnerability (CWE-416) affecting X.Org and Xwayland. The flaw occurs when changing an alarm, as the values of the change mask are evaluated sequentially, updating trigger values before calling SyncInitTrigger(). If an error occurs during one of these changes, the function returns early without adding the new sync object, leading to a potential use-after-free when the alarm triggers. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-25.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes on affected systems running vulnerable versions of X.Org or Xwayland.
Red Hat has issued multiple security errata addressing this vulnerability, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages to mitigate the use-after-free flaw in supported products.
Details
- CWE(s)