The X.Org Foundation shipped fixes today for two memory-corruption bugs in the software that draws the Linux desktop: the X server and its Wayland compatibility layer, XWayland. Both flaws let an application that is already connected to the graphics server corrupt its memory. On the many systems where that server still runs as root, the worst case is a full takeover of the machine. Update xorg-server to 21.1.24 and xwayland to 24.1.13.
The two issues, CVE-2026-56000 and CVE-2026-55999, were reported anonymously through Trend Micro's Zero Day Initiative and disclosed in a single X.Org advisory. Neither has a public exploit or any report of exploitation as of publication. The reason to move is the size of the install base, not active attacks: the X server and XWayland sit under most Linux graphical sessions in use today.
The two flaws, side by side
| Flaw | Component | Type | CVSS | Fixed in |
|---|---|---|---|---|
| CVE-2026-56000 | GLX, the OpenGL extension | Use-after-free in CommonMakeCurrent() | 9.0 (v4.0) | xorg-server 21.1.24, xwayland 24.1.13 |
| CVE-2026-55999 | glamor, the GPU rendering backend | Heap overflow from a crafted font | 8.5 | xorg-server 21.1.24, xwayland 24.1.13 |
Both live in code paths an authenticated X client can reach. CVE-2026-56000 is a use-after-free in GLX, the extension that gives clients access to OpenGL. The server keeps a per-client array of context tags. Per the fix commit, CommonMakeCurrent() held a pointer into that array after it had been reallocated, so a later write landed in freed memory. The advisory says a client reaches it by creating 16 GLX contexts and issuing a 17th make-current call, roughly 34 protocol requests in all. X.Org scores it 9.0 on the CVSS 4.0 scale.
CVE-2026-55999 is a heap buffer overflow in glamor, the accelerated rendering backend. glamor builds a texture atlas for each font, and it did not check that a single glyph's metrics stay inside the font's declared bounds. A client that supplies a crafted bitmap font and then renders text can push writes past the allocated buffer. It is scored 8.5.
Why local does not mean safe
Both bugs need an authenticated connection to the X server, so this is not a remote, unauthenticated flaw a stranger triggers over the open internet. That is where the reassurance ends. Two things widen the exposure.
The first is where the X server runs. Traditional Xorg starts as root, or through a setuid-root helper, so memory corruption inside it is a path straight to root. That is still the default on plenty of setups: proprietary GPU drivers, older distributions, and login managers that have not moved to a rootless X server. Where the session uses rootless Xorg, or XWayland under a Wayland compositor, the server runs as the logged-in user, and an attacker is bounded by that user's privileges instead of root. The blast radius depends entirely on which of those two your hosts run.
The second is who counts as local. An X client does not have to sit at the physical keyboard. SSH X11 forwarding, and any X server left listening on a TCP port, both let a remote but authenticated user open exactly the kind of connection these bugs need. On a shared jump host or a multi-user workstation, every account with a graphical session, or the right to forward one, is inside the trust boundary.
Who should actually care
Headless servers with no X server installed are not affected. This is a desktop and workstation problem. The hosts that matter are the shared ones: multi-user Linux desktops, virtual-desktop and thin-client deployments, terminal and jump servers that permit X11 forwarding, and build or lab machines where several people hold accounts. On a single-user laptop the practical risk is low, because an attacker who can already run code as you gains little from also crashing your X server. On a box where many users, or many service accounts, share one machine, a local-to-root primitive is exactly the escalation an attacker chains after a first foothold, much like the SSSD sudo default we covered last week that turned one directory account into root across a fleet.
The pattern behind the batch
This is another entry in a run of X.Org memory-corruption fixes this year, most of them the same shape: an authenticated client sends a legal-looking sequence of requests and trips a bug in the server's C code. The cause is structural. The X11 protocol treats any client that passed authentication as highly trusted, and it exposes a large request surface written decades ago in a memory-unsafe language. Fuzzing, increasingly assisted by automated tooling, keeps finding new corners of it. Patching each bug is right and necessary, but the recurring lesson is architectural: the case for moving sessions to Wayland, and for running a rootless X server where you cannot, gets stronger with every one of these advisories.
Patch, then shrink the X attack surface
Update xorg-server to 21.1.24 and xwayland to 24.1.13 through your distribution as the packages land; the fixes are already upstream. Restart the graphical session, or the host, so the running server picks up the new binary. That is the control that actually closes both holes.
Then reduce what a local client can reach. Check whether your X servers run as root, and move to a rootless configuration where your driver and login manager support it, so a future bug of this class tops out at the user rather than root. Turn off SSH X11 forwarding on shared servers that do not need it (X11Forwarding no in sshd_config), and confirm no X server is listening on a TCP port where it does not have to. Detection here is thin: there is no clean signature for these attempts, so repeated X server crashes or restarts in your logs are a weak signal at best. The honest answer is that patching and cutting the attack surface beat trying to catch exploitation after the fact. In MITRE ATT&CK terms, a successful attack is exploitation for privilege escalation (T1068).