CVE-2026-34003
Published: 23 April 2026
Summary
CVE-2026-34003 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-34003, published on 2026-04-23, is a flaw in the X.Org X server's XKB key types request validation that enables an out-of-bounds memory access vulnerability (CWE-125). The affected component is the X.Org X server, where insufficient validation of requests can lead to memory corruption. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), rated as high severity.
A local attacker with low privileges can exploit this by sending a specially crafted request to the X server. Successful exploitation could result in the disclosure of sensitive information, a crash of the server causing a denial of service (DoS), or higher impact outcomes in certain configurations.
Red Hat has addressed the issue in multiple security advisories with patches available for affected systems, including RHSA-2026:10739, RHSA-2026:11352, RHSA-2026:11369, RHSA-2026:11388, and RHSA-2026:11656. Security practitioners should apply these updates promptly to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25231
Vulnerability details
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure…
more
of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local out-of-bounds memory access in X.Org X server allows low-privileged attackers to exploit for privilege escalation via crafted requests.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the X.Org X server flaw by requiring timely application of vendor patches like those in Red Hat advisories RHSA-2026:10739 et al.
Mandates validation of information inputs such as XKB key types requests to block specially crafted requests causing out-of-bounds memory access.
Implements memory protection mechanisms to restrict the impact of out-of-bounds access even if input validation fails.