LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2023-5367
CVE STATUS: Patched
CVE SUMMARY: A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5367

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2023-5380
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 4.7
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5380

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2023-6377
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6377

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2023-6478
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.6
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6478

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2023-6816
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.8
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6816

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2024-0229
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0229

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2024-0408
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0408

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2024-0409
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0409

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2024-9632
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-9632

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26594
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26594

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26595
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26595

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26596
CVE STATUS: Patched
CVE SUMMARY: A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26596

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26597
CVE STATUS: Patched
CVE SUMMARY: A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26597

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26598
CVE STATUS: Patched
CVE SUMMARY: An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26598

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26599
CVE STATUS: Patched
CVE SUMMARY: An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26599

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26600
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26600

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-26601
CVE STATUS: Patched
CVE SUMMARY: A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26601

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-49175
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-49175

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-49176
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-49176

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-49177
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 6.1
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-49177

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-49178
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 5.5
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-49178

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-49179
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.3
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-49179

LAYER: meta
PACKAGE NAME: xwayland
PACKAGE VERSION: 23.2.5
CVE: CVE-2025-49180
CVE STATUS: Patched
CVE SUMMARY: A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-49180