CVE-2025-26600
Published: 25 February 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-26600 is a use-after-free vulnerability (CWE-416) affecting X.Org and Xwayland. The flaw arises when a device is removed while still in a frozen state, causing events queued for that device to persist even after the device structure is freed. Subsequent replay of these events triggers the use-after-free condition. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or system compromise within the affected X server context.
Red Hat has issued multiple errata addressing this issue, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide patched packages for vulnerable X.Org and Xwayland components on supported systems.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free and related memory corruption vulnerabilities (e.g., buffer overflows, OOB writes) in Xwayland, addressed in TigerVNC updates, occur during input/event processing (e.g., PlayReleasedEvents, Xkb functions), enabling remote code execution via crafted events from a malicious VNC client.