AI description
CVE-2026-50262 describes an out-of-bounds read vulnerability affecting the X.Org X server and Xwayland. The flaw resides within the `__glXDisp_ChangeDrawableAttributes()` function, where an improper size validation check permits the reading of a client-controlled number of bytes beyond the allocated request buffer. This vulnerability can lead to information disclosure, as a local user with access to the X server could potentially read sensitive data from the server's process memory. While a write path for this flaw also exists, it is contingent on the use of byte-swapped clients, a configuration that is typically disabled by default.
- Description
- An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.
- Source
- secalert@redhat.com
- NVD status
- Undergoing Analysis
CVSS 3.1
- Type
- Primary
- Base score
- 5.5
- Impact score
- 3.6
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- secalert@redhat.com
- CWE-125
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
4