Bug#1098906: xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1098906: xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Feb 2025 21:41:00 +0100
Message-id: <[🔎] 174051606027.836643.16300492774801378451.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1098906@bugs.debian.org

Source: xorg-server
Version: 2:21.1.15-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2:21.1.7-3
Control: fixed -1 2:21.1.7-3+deb12u9

Hi,

The following vulnerabilities were published for xorg-server.

CVE-2025-26594[0]:
| A use-after-free flaw was found in X.Org and Xwayland. The root
| cursor is referenced in the X server as a global variable. If a
| client frees the root cursor, the internal reference points to freed
| memory and causes a use-after-free.


CVE-2025-26595[1]:
| A buffer overflow flaw was found in X.Org and Xwayland. The code in
| XkbVModMaskText() allocates a fixed-sized buffer on the stack and
| copies the names of the virtual modifiers to that buffer. The code
| fails to check the bounds of the buffer and would copy the data
| regardless of the size.


CVE-2025-26596[2]:
| A heap overflow flaw was found in X.Org and Xwayland. The
| computation of the length in XkbSizeKeySyms() differs from what is
| written in XkbWriteKeySyms(), which may lead to a heap-based buffer
| overflow.


CVE-2025-26597[3]:
| A buffer overflow flaw was found in X.Org and Xwayland. If
| XkbChangeTypesOfKey() is called with a 0 group, it will resize the
| key symbols table to 0 but leave the key actions unchanged. If the
| same function is later called with a non-zero value of groups, this
| will cause a buffer overflow because the key actions are of the
| wrong size.


CVE-2025-26598[4]:
| An out-of-bounds write flaw was found in X.Org and Xwayland. The
| function GetBarrierDevice() searches for the pointer device based on
| its device ID and returns the matching value, or supposedly NULL, if
| no match was found. However, the code will return the last element
| of the list if no matching device ID is found, which can lead to
| out-of-bounds memory access.


CVE-2025-26599[5]:
| An access to an uninitialized pointer flaw was found in X.Org and
| Xwayland. The function compCheckRedirect() may fail if it cannot
| allocate the backing pixmap. In that case, compRedirectWindow() will
| return a BadAlloc error without validating the window tree marked
| just before, which leaves the validated data partly initialized and
| the use of an uninitialized pointer later.


CVE-2025-26600[6]:
| A use-after-free flaw was found in X.Org and Xwayland. When a device
| is removed while still frozen, the events queued for that device
| remain while the device is freed. Replaying the events will cause a
| use-after-free.


CVE-2025-26601[7]:
| A use-after-free flaw was found in X.Org and Xwayland. When changing
| an alarm, the values of the change mask are evaluated one after the
| other, changing the trigger values as requested, and eventually,
| SyncInitTrigger() is called. If one of the changes triggers an
| error, the function will return early, not adding the new sync
| object, possibly causing a use-after-free when the alarm eventually
| triggers.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-26594
    https://www.cve.org/CVERecord?id=CVE-2025-26594
[1] https://security-tracker.debian.org/tracker/CVE-2025-26595
    https://www.cve.org/CVERecord?id=CVE-2025-26595
[2] https://security-tracker.debian.org/tracker/CVE-2025-26596
    https://www.cve.org/CVERecord?id=CVE-2025-26596
[3] https://security-tracker.debian.org/tracker/CVE-2025-26597
    https://www.cve.org/CVERecord?id=CVE-2025-26597
[4] https://security-tracker.debian.org/tracker/CVE-2025-26598
    https://www.cve.org/CVERecord?id=CVE-2025-26598
[5] https://security-tracker.debian.org/tracker/CVE-2025-26599
    https://www.cve.org/CVERecord?id=CVE-2025-26599
[6] https://security-tracker.debian.org/tracker/CVE-2025-26600
    https://www.cve.org/CVERecord?id=CVE-2025-26600
[7] https://security-tracker.debian.org/tracker/CVE-2025-26601
    https://www.cve.org/CVERecord?id=CVE-2025-26601
[8] https://lists.x.org/archives/xorg-announce/2025-February/003584.html

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1098906: marked as done (xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
Next by Date: Bug#1098907: xwayland: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
Previous by thread: Bug#1098856: mesa-vulkan-drivers: ffplay core dump after mesa upgrade to 25.0.0-1
Next by thread: Processed: xorg-server: CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601
Index(es):
- Date
- Thread