A stack-based buffer overflow flaw was found in the X

CVE-2026-50259 is a stack-based buffer overflow in the XKB SetMap request path of the X.Org X server and Xwayland. In _XkbSetMapChecks(), a fixed stack buffer mapWidths[256] is indexed using client-controlled key-type data via CheckKeyTypes(), so a connected X11 client can write past the end of the stack buffer. Upstream fixed it in xorg-server 21.1.23 and xwayland 24.1.12; Debian tracks older packaged branches as vulnerable until backported fixes land, and Ubuntu had the issue under evaluation when reviewed.

The vendor's 7.8/HIGH score is technically defensible in a lab because memory corruption plus potential privilege escalation is real. In enterprise reality, it overstates urgency: the attacker must already have local foothold or X11 client access to the victim display/session, and the best-case impact often collapses further on modern rootless Xwayland and rootless Xorg deployments where the easy 'become root via X server' path is gone.

Why this verdict

• Requires X11 client reachability: AV:L/PR:L here really means the attacker is already on the box, in the session, or otherwise allowed to talk to the X server. That's compounding downward pressure because it assumes a prior compromise stage or a trusted local-user position.
• Modern deployments blunt the blast radius: on rootless Xwayland and many rootless Xorg setups, a successful exploit does not automatically become root. Same-user compromise or session DoS is still bad, but it's not the same as host-level takeover.
• No heat around exploitation: no KEV listing, no public exploitation evidence found, no public weaponized PoC found, and a tiny supplied EPSS all argue against treating this like an urgent broad spray-and-pray threat.

Why not higher?

Because this is not an unauthenticated remote bug and not meaningfully internet-reachable in normal enterprise layouts. You have to already be inside the machine or inside the user's X trust boundary, which means the vulnerability rides *after* initial access rather than creating it.

Why not lower?

Because it is still real memory corruption in a ubiquitous desktop component, and exploitation can plausibly yield more than a crash on the wrong build or legacy rootful Xorg deployment. If you run Linux VDI, engineering workstations, kiosks, or long-lived X11-forwarding environments, the affected population is non-trivial enough that this should not be shrugged off as hygiene-only.

1. Disable or restrict remote X11 access — Turn off TCP X11 listeners, review X11Forwarding exposure, and remove permissive xhost usage where it still exists. This cuts the reachable population immediately; for a MEDIUM verdict there is no mitigation SLA, so use this as risk reduction while you work inside the remediation window.
2. Prefer rootless display stacks — Where operationally possible, keep Xwayland/Xorg rootless and retire legacy rootful Xorg configurations on kiosks, GPU workstations, and niche desktop builds. This does not remove the bug, but it meaningfully lowers the privilege-escalation payoff; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window if you cannot justify immediate configuration churn.
3. Watch the X server process — Add detections for Xorg or Xwayland crashes, unexpected child processes, and unusual command execution spawned from those parents. This is especially useful on shared Linux desktops and VDI where a post-entry local exploit is more realistic than on locked-down servers.

Run this on the target Linux host as the logged-in user or with sudo; root is not strictly required, but package-manager queries are more reliable with normal local access. Save as check-cve-2026-50259.sh and run bash check-cve-2026-50259.sh or bash check-cve-2026-50259.sh /usr/bin/Xorg /usr/bin/Xwayland; it checks installed binaries and package metadata, then prints VULNERABLE, PATCHED, or UNKNOWN.

#!/usr/bin/env bash
# check-cve-2026-50259.sh
# Detect likely exposure to CVE-2026-50259 on Linux hosts.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED_XORG_UPSTREAM="21.1.23"
FIXED_XWAYLAND_UPSTREAM="24.1.12"
STATUS="PATCHED"
DETAILS=()

ver_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

extract_ver() {
  # pull first dotted version from input
  echo "$1" | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -n1
}

check_bin() {
  local name="$1"
  local path="$2"
  local fixed="$3"
  local v out

  if [ ! -x "$path" ]; then
    DETAILS+=("$name: not present")
    return 0
  fi

  out="$($path -version 2>/dev/null || $path --version 2>/dev/null || true)"
  v="$(extract_ver "$out")"

  if [ -z "$v" ]; then
    DETAILS+=("$name: version unknown from binary output")
    STATUS="UNKNOWN"
    return 0
  fi

  if ver_ge "$v" "$fixed"; then
    DETAILS+=("$name: binary version $v >= fixed upstream $fixed")
  else
    DETAILS+=("$name: binary version $v < fixed upstream $fixed")
    if [ "$STATUS" != "UNKNOWN" ]; then STATUS="VULNERABLE"; fi
  fi
}

check_dpkg() {
  command -v dpkg-query >/dev/null 2>&1 || return 0
  local pkg ver

  for pkg in xserver-xorg-core xwayland; do
    if dpkg-query -W -f='${Version}' "$pkg" >/dev/null 2>&1; then
      ver="$(dpkg-query -W -f='${Version}' "$pkg" 2>/dev/null)"
      DETAILS+=("dpkg:$pkg=$ver")

      # Known Debian unstable fixed package versions from tracker.
      if [ "$pkg" = "xserver-xorg-core" ]; then
        if dpkg --compare-versions "$ver" ge "2:21.1.23-1"; then
          DETAILS+=("dpkg:$pkg meets Debian unstable fixed threshold")
        else
          DETAILS+=("dpkg:$pkg below Debian unstable fixed threshold; could still be backported later on vendor branches")
          [ "$STATUS" = "PATCHED" ] && STATUS="UNKNOWN"
        fi
      fi

      if [ "$pkg" = "xwayland" ]; then
        if dpkg --compare-versions "$ver" ge "2:24.1.12-1"; then
          DETAILS+=("dpkg:$pkg meets Debian unstable fixed threshold")
        else
          DETAILS+=("dpkg:$pkg below Debian unstable fixed threshold; could still be backported later on vendor branches")
          [ "$STATUS" = "PATCHED" ] && STATUS="UNKNOWN"
        fi
      fi
    fi
  done
}

check_rpm() {
  command -v rpm >/dev/null 2>&1 || return 0
  local pkg
  for pkg in xorg-x11-server-Xorg xorg-x11-server-Xwayland; do
    if rpm -q "$pkg" >/dev/null 2>&1; then
      DETAILS+=("rpm:$pkg=$(rpm -q "$pkg" 2>/dev/null)")
      DETAILS+=("rpm:$pkg installed; vendor backport status must be validated against distro advisory")
      [ "$STATUS" = "PATCHED" ] && STATUS="UNKNOWN"
    fi
  done
}

XORG_PATH="${1:-$(command -v Xorg 2>/dev/null || echo /usr/bin/Xorg)}"
XWAYLAND_PATH="${2:-$(command -v Xwayland 2>/dev/null || echo /usr/bin/Xwayland)}"

check_bin "Xorg" "$XORG_PATH" "$FIXED_XORG_UPSTREAM"
check_bin "Xwayland" "$XWAYLAND_PATH" "$FIXED_XWAYLAND_UPSTREAM"
check_dpkg
check_rpm

# If neither binary exists and no packages were detected, result is PATCHED/NOT APPLICABLE.
# We keep PATCHED to satisfy the required output vocabulary.

echo "$STATUS"
printf '%s
' "${DETAILS[@]}"

case "$STATUS" in
  PATCHED) exit 0 ;;
  VULNERABLE) exit 1 ;;
  *) exit 2 ;;
esac

Sources

1. Ubuntu CVE record
2. Debian security tracker
3. Openwall oss-security advisory
4. X.Org security page
5. CVE/Red Hat data via CIRCL Vulnerability-Lookup
6. CISA KEV catalog
7. FIRST EPSS overview