CVE-2025-26594
Published: 25 February 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-26594 is a use-after-free vulnerability (CWE-416) affecting X.Org and Xwayland. The flaw occurs because the root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference continues to point to freed memory, triggering a use-after-free condition. The vulnerability was published on 2025-02-25.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it through low-complexity means without requiring user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system crashes.
Red Hat has issued multiple errata addressing this issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865. Security practitioners should review these advisories for detailed patching instructions and mitigation guidance specific to affected Red Hat products.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-26594 and associated vulnerabilities (CVE-2025-26595 through CVE-2025-26601) in Xwayland, addressed in TigerVNC updates, are memory corruption flaws (use-after-free, buffer/heap overflows, out-of-bounds writes, uninitialized pointers) triggerable via X protocol handling. In the context of TigerVNC server (remote desktop service), these enable remote code execution by a malicious VNC client, facilitating Exploitation of Remote Services (T1210).