CVE-2025-26599

HIGH

X.Org - Use After Free

Title source: llm

Description

An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.

References (17)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2500

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2502

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2861

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2862

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2865

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2866

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2873

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2874

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2875

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2879

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2025:2880

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:7163

[Third Party Advisory] https://access.redhat.com/security/cve/CVE-2025-26599

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2345253

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/02/msg00036.html

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:7165

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:7458

Scores

CVSS v3 7.8

EPSS 0.0006

EPSS Percentile 18.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-824

Status published

Affected Products (6)

tigervnc/tigervnc

x.org/x_server < 21.1.16

x.org/xwayland < 24.1.6

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

Timeline

Published Feb 25, 2025

Tracked Since Feb 18, 2026