Cyber Resilience

CVE-2026-34003

HighUpdated

Published: 23 April 2026

Published
23 April 2026
Modified
08 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34003 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34003, published on 2026-04-23, is a flaw in the X.Org X server's XKB key types request validation that enables an out-of-bounds memory access vulnerability (CWE-125). The affected component is the X.Org X server, where insufficient validation of requests can lead to memory corruption. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), rated as high severity.

A local attacker with low privileges can exploit this by sending a specially crafted request to the X server. Successful exploitation could result in the disclosure of sensitive information, a crash of the server causing a denial of service (DoS), or higher impact outcomes in certain configurations.

Red Hat has addressed the issue in multiple security advisories with patches available for affected systems, including RHSA-2026:10739, RHSA-2026:11352, RHSA-2026:11369, RHSA-2026:11388, and RHSA-2026:11656. Security practitioners should apply these updates promptly to mitigate the risk.

EU & UK References

Vulnerability details

A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure…

more

of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local out-of-bounds memory access in X.Org X server allows low-privileged attackers to exploit for privilege escalation via crafted requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23673Shared CWE-125
CVE-2026-31675Shared CWE-125
CVE-2026-25174Shared CWE-125
CVE-2025-49687Shared CWE-125
CVE-2026-32076Shared CWE-125
CVE-2024-57998Shared CWE-125
CVE-2025-24228Shared CWE-125
CVE-2026-43048Shared CWE-125
CVE-2026-25175Shared CWE-125
CVE-2026-31641Shared CWE-125

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the X.Org X server flaw by requiring timely application of vendor patches like those in Red Hat advisories RHSA-2026:10739 et al.

prevent

Mandates validation of information inputs such as XKB key types requests to block specially crafted requests causing out-of-bounds memory access.

prevent

Implements memory protection mechanisms to restrict the impact of out-of-bounds access even if input validation fails.

References