Heap Use After Free Vulnerability in Xorg and Xwayland
CVE-2026-56000

9CRITICAL

Key Information:

Vendor

X.org

Vendor
CVE Published:
8 July 2026

What is CVE-2026-56000?

In the X server versions prior to 21.2.24 and Xwayland versions prior to 24.1.13, a vulnerability exists that allows local attackers to exploit a heap use after free condition. This arises when the CommonMakeCurrent() function references memory that may have been reallocated, leading to potential manipulation of the X server environment. Attackers with the ability to send GLX commits to the server can leverage this flaw to cause unexpected behavior or crashes.

Affected Version(s)

xorg-x11-server 0 < 21.1.24

xwayland 0 < 24.1.13

References

CVSS V4

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Anonymous working with Trend Micro Zero Day Initiative.
.