Introduction
A single memory safety flaw in a core display server can disrupt graphical environments across countless Linux desktops and servers. CVE-2025-62229, a use-after-free vulnerability in X.Org X Server and Xwayland, demonstrates how subtle bugs in protocol extensions can cascade into privilege escalation or denial of service for end users and enterprises alike.
The X.Org Foundation is responsible for the X.Org X Server, which serves as the de facto standard display server for Unix-like operating systems, and for Xwayland, which allows X11 applications to run on Wayland-based systems. These components are deployed on millions of devices worldwide, forming the backbone of graphical environments for Linux and BSD distributions. Their reliability and security are critical to the stability of the open-source desktop ecosystem.
Technical Information
CVE-2025-62229 is rooted in the Present extension of the X.Org X Server and Xwayland. The vulnerability specifically arises in the present_create_notifies function, which is responsible for handling notifications when a client requests to present a pixmap (an off-screen image) to a window. The Present extension is designed to provide smooth, tear-free updates by synchronizing pixmap presentation with the display refresh cycle.
The flaw occurs during error handling in the notification creation process. When an error is triggered after a notification has already been added to the internal notification list, the cleanup logic does not correctly account for the number of notifications that have been added. As a result, a dangling pointer is left behind. When the notification structures are later destroyed, this dangling pointer leads to a use-after-free condition. This can cause memory corruption, server crashes, or potentially allow an attacker to execute arbitrary code with the privileges of the X server process.
The vulnerability is classified as CWE-416 (use-after-free). It is present in X.Org X Server versions from 1.15 up to (but not including) 21.1.18 and Xwayland up to (but not including) 24.1.8. The bug was introduced in Xorg 1.15, released in December 2013, and remained undetected for over a decade. The issue was discovered by Jan-Niklas Sohn working with Trend Micro’s Zero Day Initiative and disclosed in October 2025.
No public code snippets are available in advisories, but the technical root cause is well documented in mailing list discussions and security trackers. The error path in present_create_notifies fails to properly free notification structures if an error occurs after insertion into the notification list, leaving a pointer to freed memory that can later be dereferenced.
Affected Systems and Versions
CVE-2025-62229 affects:
- X.Org X Server versions from 1.15 up to (but not including) 21.1.18
- Xwayland versions up to (but not including) 24.1.8
The vulnerability is present in any configuration where the Present extension is enabled and can be triggered by local users with access to the X server. The issue is fixed in xorg-server 21.1.19 and xwayland 24.1.9. Major Linux distributions, including Ubuntu, Debian, and SUSE, have released patched packages.
Vendor Security History
The X.Org Foundation has a long history of security advisories, particularly involving memory safety issues such as use-after-free, buffer overflows, and privilege escalation flaws. The organization typically coordinates timely patch releases with major Linux distributions and maintains a public security advisory process. Recent years have seen multiple vulnerabilities in the Present extension and related protocol handling code, reflecting the challenges of maintaining a legacy C codebase with complex protocol extensions. The response to CVE-2025-62229 was prompt, with patches released in coordination with the public disclosure.
