Introduction
A classic constant mismatch between the X.Org X server and the libXfont2 library has created a deterministic stack buffer overflow that gives local attackers up to 768 bytes of controlled overwrite during font alias resolution. For the many Linux systems still running X.Org as root, whether legacy enterprise workstations, thin clients, kiosk systems, or HPC clusters with X forwarding, this CVSS 7.8 vulnerability (CVE-2026-50256) represents a direct path from low-privilege local access to full root compromise.
This vulnerability was disclosed on June 2, 2026 as part of a nine-CVE batch advisory affecting the X.Org X server and Xwayland, and was discovered by an anonymous researcher through the TrendAI Zero Day Initiative (ZDI-CAN-30136).
Technical Information
Root Cause: A Dangerous Constant Mismatch
The vulnerability exists because two components in the X display stack disagree on the maximum length of a font name. The X server defines XLFDMAXFONTNAMELEN as 256 bytes in dix/closestr.h and uses this constant to size stack-allocated buffers for font alias names. Meanwhile, libXfont2, the library responsible for resolving font aliases from fonts.alias files, permits alias target names up to 1024 bytes (its own MAXFONTNAMELEN constant).
| Component | Maximum Font Name Length | Role |
|---|---|---|
| X server (dix) | 256 bytes (stack buffer) | Consumes the alias name |
| libXfont2 | 1024 bytes (alias target) | Produces the alias name |
This mismatch creates a 768-byte overflow window. Any font alias name between 257 and 1023 bytes will be copied into the undersized 256-byte stack buffer via memcpy (in doListFontsAndAliases()) or memmove (in doListFontsWithInfo()) without any length validation. The excess bytes overwrite adjacent stack memory, including local variables and return addresses.
CVSS Vector Breakdown
The CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H tells us several important things about exploitability:
- Attack Vector: Local (AV:L): The attacker needs local access and an authenticated X client connection. This is not remotely exploitable over the network, though SSH X11 forwarding could extend reach.
- Attack Complexity: Low (AC:L): The overflow is deterministic. No race conditions, no special timing, no unusual configuration. Supply a font alias name of the right length and the overflow occurs every time.
- Privileges Required: Low (PR:L): Standard user-level X session access is sufficient to trigger the flaw.
- User Interaction: None (UI:N): The overflow occurs automatically during font alias resolution without any action from the victim.
- Impact: High across all three dimensions (C:H/I:H/A:H): Successful exploitation yields full compromise of the X server process.
Attack Flow
The exploitation chain is straightforward:
- An attacker with an authenticated X client connection requests a font whose alias name is between 257 and 1023 bytes long.
- During alias resolution,
libXfont2returns the alias target name (which can be up to 1024 bytes). - The X server copies this name into its 256-byte stack buffer using
memcpyormemmovewithout any length validation. - The stack frame is corrupted by the excess bytes, up to 768 bytes of controlled overwrite.
- The attacker achieves either a denial of service (crash) or, if the X server runs as root, privilege escalation through return address overwrite.
Stack-based buffer overflows with this much controlled overwrite are among the most well-understood exploitation primitives in security research. Return address overwrite and ROP chain construction are established techniques for this vulnerability class, and the deterministic nature of the overflow eliminates the need for heap grooming or timing tricks.
CWE Classification
The CVE submission lists CWE-121 (Stack-based Buffer Overflow), while Red Hat classifies it as CWE-787 (Out-of-bounds Write). Both are accurate: CWE-121 is a child of CWE-787, specific to stack-allocated buffers.
Part of a Nine-Vulnerability Batch
CVE-2026-50256 was disclosed alongside eight other vulnerabilities in the same X.Org Security Advisory, all affecting X server prior to 21.1.23 and Xwayland prior to 24.1.12:
| Vulnerability | ZDI Tracking | Type |
|---|---|---|
| Font Alias Buffer Overflow | ZDI-CAN-30136 | Stack buffer overflow (this CVE) |
| XKB Key Types Overflow | ZDI-CAN-30160 | Stack buffer overflow (incomplete fix of CVE-2025-26597) |
| XKB SetMap Overflow | ZDI-CAN-30161 | Stack buffer overflow |
| XSYNC miSyncDestroyFence | ZDI-CAN-30159 | Use-after-free |
| XSYNC FreeCounter | ZDI-CAN-30163 | Use-after-free |
| XSYNC SyncChangeCounter | ZDI-CAN-30164 | Use-after-free |
| GLX ChangeDrawableAttributes | ZDI-CAN-30165 | OOB read/write |
| CreateSaverWindow | ZDI-CAN-30168 | Use-after-free |
| DRI2 DRIGetBuffers | N/A | OOB heap write |
The co-occurrence of three stack-based buffer overflows and three use-after-free vulnerabilities in a single advisory underscores systemic memory safety deficiencies in the X server codebase.
Patch Information
The vulnerability was fixed in a single, focused commit (bb5158f962dc935e58ef8b4b5fcb31be201a6e07) in the X.Org xserver repository. The patch was released as part of xorg-server 21.1.23 and xwayland 24.1.12 on June 2, 2026. It touches two files: dix/closestr.h (the constant definition) and dix/dixfonts.c (the code that copies font names).
Part 1: Correcting the Buffer Size Constant (dix/closestr.h)
The core fix raises XLFDMAXFONTNAMELEN to match the library's maximum:
-#define XLFDMAXFONTNAMELEN 256 +/* libXfont2 allows font names/aliases up to MAXFONTNAMELEN (1024) bytes in + * fonts.alias files. The server's pattern buffers must be large enough to + * hold resolved alias targets returned by the font library. + * ZDI-CAN-30136 + */ +#define XLFDMAXFONTNAMELEN 1024
This change directly enlarges the stack-allocated pattern[] buffer inside struct _LFWIstate (used by ListFontsWithInfo) so it can safely hold the longest name the font library might return.
Part 2: Adding Bounds Checks Before Copy Operations (dix/dixfonts.c)
Even after resizing the buffer, the developers added explicit length validation before copying resolved font names as a defense-in-depth measure. Two functions received identical guard clauses.
In doListFontsAndAliases(), before the memcpy of the resolved alias name into the tmp_pattern buffer:
+ if (resolvedlen > XLFDMAXFONTNAMELEN) { + err = BadFontName; + goto ContBadFontName; + } memcpy(tmp_pattern, resolved, resolvedlen);
And in doListFontsWithInfo(), before the memmove that copies the name into c->current.pattern:
+ if (namelen > XLFDMAXFONTNAMELEN) { + err = BadFontName; + goto ContBadFontName; + } memmove(c->current.pattern, name, namelen);
In both cases, if a name exceeds XLFDMAXFONTNAMELEN, the server now cleanly rejects it with a BadFontName error rather than blindly writing past the end of the buffer. This two-layer approach (correct buffer size plus explicit bounds check) ensures the copy operations can never overflow their target buffers regardless of what the font library returns.
Downstream distributions including Red Hat (tracked via Bugzilla #2485380) and Rocky Linux (RLSA-2026:11369) have shipped or are preparing corresponding package updates.
Affected Systems and Versions
The following products are affected:
- xorg-server: All versions prior to 21.1.23
- xwayland: All versions prior to 24.1.12
Systems running the X server as root (common in legacy configurations, RHEL 7 and earlier defaults, thin clients, kiosk systems, and HPC clusters with X forwarding) face the most severe risk, as the overflow enables privilege escalation in that configuration.
Red Hat has the following products under investigation as of June 5, 2026:
| Red Hat Product | Status |
|---|---|
| Red Hat Enterprise Linux 9 | Under investigation |
| Red Hat Enterprise Linux 8 | Under investigation |
| Red Hat Enterprise Linux 7 | Under investigation |
| Red Hat Enterprise Linux 6 | Under investigation |
| Red Hat Virtualization | Under investigation |
| Red Hat Enterprise Linux for Real Time | Under investigation |
No Red Hat errata have been published yet. Enterprise customers should monitor the Red Hat Customer Portal for updates.
Vendor Security History
The X.Org project has a well-documented history of memory safety vulnerabilities. Recent advisory frequency illustrates the pattern:
| Date | Advisory Scope | CVEs | Key Vulnerability Types |
|---|---|---|---|
| June 2, 2026 | X server < 21.1.23, Xwayland < 24.1.12 | 9+ | Stack overflows, UAF, OOB write |
| April 21, 2026 | libXpm < 3.5.19 | 1 | OOB read |
| April 14, 2026 | X server < 21.1.22, Xwayland < 24.1.10 | 5 | Integer underflow, buffer overflow |
| October 28, 2025 | X server < 21.1.18, Xwayland < 24.1.8 | 3 | UAF, value overflow |
| February 25, 2025 | X server < 21.1.16, Xwayland < 24.1.6 | 8 | Multiple memory safety issues |
| April 3, 2024 | X server < 21.1.12, Xwayland < 23.2.5 | 4 | Heap overread, UAF |
The June 2026 advisory is the third X.Org security batch in 2026 alone. The dominant vulnerability classes remain stack and heap buffer overflows and use-after-free conditions, all hallmarks of C code lacking memory safety guarantees. Notably, the June 2026 batch includes an incomplete fix for CVE-2025-26597, demonstrating that even patches can fail to fully resolve the underlying issues.
The advisory was authored by Peter Hutterer, a Red Hat employee who also discovered the DRI2 vulnerability in the same batch, indicating Red Hat's continued investment in X server security maintenance. Seven of the nine vulnerabilities were reported through the TrendAI Zero Day Initiative, reflecting the program's systematic approach to auditing the X server codebase.
For organizations still relying on X11, this recurring pattern reinforces the case for evaluating migration to Wayland-only deployments where feasible.
References
- NVD: CVE-2026-50256
- Red Hat CVE Page: CVE-2026-50256
- Red Hat Bugzilla #2485380
- X.Org Security Advisory: June 2026
- oss-security Mailing List Disclosure
- Upstream Fix Commit
- Upstream Fix Commit (diff)
- X.Org Security Advisories History
- Gaming on Linux Coverage
- CISA Known Exploited Vulnerabilities Catalog



