CVE-2025-26600

Published Feb 25, 2025

Last updated 5 months ago

CVSS high 7.8

Overview

Description
A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
Source
secalert@redhat.com
NVD status
Modified
Products
tigervnc, x_server, xwayland, enterprise_linux

Risk scores

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secalert@redhat.com
CWE-416
nvd@nist.gov
CWE-416

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-26600 πŸ”΄ HIGH (7.8) 🏒 Red Hat - Red Hat Enterprise Linux 6 πŸ—οΈ None πŸ”— https://t.co/ZLN43uN1fl πŸ”— https://t.co/BqUvVudhve #CyberCron #VulnAlert @RedHat https://t.co/JinhnFJL1F

    @cybercronai

    27 Feb 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2025-26600 - https://t.co/Ni6wH8uSXJ and Xwayland - HIGH 🚨 πŸ—“οΈ Date published 2025-02-25 16:15:39 UTC #X.OrgandXwayland #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/d1QcYyXL6w

    @vulns_space

    25 Feb 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-26600 A use-after-free flaw was found in https://t.co/NfcYnrk5RQ and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed… https://t.co/8jAwcmbLEI

    @CVEnew

    25 Feb 2025

    279 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).β€’CVE-2026-4271
  2. A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.β€’CVE-2026-3634
  3. A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.β€’CVE-2026-3633
  4. A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.β€’CVE-2026-3632
  5. A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.β€’CVE-2025-12801

References

Sources include official advisories and independent security research.