CVE-2025-26601
Published: 25 February 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-26601 is a use-after-free vulnerability (CWE-416) affecting X.Org and Xwayland. The flaw occurs when changing an alarm, as the values of the change mask are evaluated sequentially, updating trigger values before calling SyncInitTrigger(). If an error occurs during one of these changes, the function returns early without adding the new sync object, leading to a potential use-after-free when the alarm triggers. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-25.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes on affected systems running vulnerable versions of X.Org or Xwayland.
Red Hat has issued multiple security errata addressing this vulnerability, including RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, and RHSA-2025:2865, which provide updated packages to mitigate the use-after-free flaw in supported products.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The use-after-free in Xwayland's SyncInitTrigger(), along with related memory corruption flaws (buffer overflows, out-of-bounds writes) patched in TigerVNC, enables remote code execution by exploiting vulnerabilities in the remote VNC display service handling X11 protocol extensions.