An out-of-bounds read flaw was found in the X

CVE-2026-50262 is a bounds-check failure in __glXDisp_ChangeDrawableAttributes() in the X.Org X server and Xwayland. Upstream, affected releases are xorg-server before 21.1.23 and Xwayland before 24.1.12; the bug lets a connected X client over-read the request buffer and disclose process memory, while a related write path exists only for byte-swapped clients, which X.Org says are disabled by default.

Red Hat's MEDIUM 5.5 is technically fair in a vacuum, but too generous for enterprise prioritization. This is not unauthenticated remote reachability; it generally requires a client that can already connect to the user's X server, which usually means local/session-level foothold plus X11 auth material. That is classic post-initial-access friction, and the more dangerous write/priv-esc angle gets further kneecapped by modern rootless Xorg/Xwayland and the default-disabled byte-swapped path.

Why this verdict

• Down from vendor 5.5 because attacker position is already post-compromise: AV:L/PR:L plus X11 auth requirements mean the adversary usually already has code execution or session-level access.
• Further down because real impact is mostly disclosure: the dependable path is an out-of-bounds read, not straightforward code execution.
• Further down because the nastier path is gated: the write condition needs byte-swapped clients, which upstream says are disabled by default.
• Further down because exposure population is smaller than generic Linux fleet counts imply: many enterprise Linux systems are headless, and many desktops run Xwayland/rootless Xorg, not privileged classic Xorg.
• No upward pressure from threat intel: no KEV, no known active exploitation, and an extremely low EPSS signal.

Why not higher?

This is not an edge-facing service flaw and not a broad unauthenticated remote attack surface. To get meaningful impact, the attacker usually needs a prior foothold, X11 trust material, and in the write-case an extra non-default prerequisite; that stack of friction is exactly why this does not belong in HIGH or CRITICAL.

Why not lower?

It still deserves tracking because X11 is a long-lived privileged-ish session component, and memory disclosure inside that process can help a follow-on attacker. Also, some real environments still run legacy Xorg configurations or expose X11 sloppily, so calling it IGNORE would be too dismissive.

1. Keep X11 off the network — Ensure DisallowTCP-style controls and display-manager settings actually prevent X11 from listening on TCP 6000+. This shrinks accidental exposure immediately; for a LOW verdict there is no mitigation SLA, so treat it as backlog hygiene and validate during the next desktop/platform hardening cycle.
2. Lock down X11 auth material — Audit for xhost +, over-broad .Xauthority sharing, and container bind mounts that expose /tmp/.X11-unix plus auth cookies. This directly attacks the main exploitation prerequisite; for LOW, there is no mitigation SLA, so fold it into your next Linux endpoint baseline review.
3. Prefer rootless Xorg and Wayland — Make sure Xwayland is not running as root and retire legacy privileged Xorg where possible. That does not remove the read bug, but it materially blunts the worst-case write/priv-esc story; again, for LOW this is backlog hygiene, not emergency work.
4. Watch for suspicious X11 client activity — Add detections for odd processes touching /tmp/.X11-unix, reading .Xauthority, or launching bespoke GLX/X11 clients from untrusted containers or developer shells. This helps catch the post-access prerequisite that matters more than the CVE number itself; tune during normal detection engineering work.

Run this on the target Linux host as a local shell check; no root is required, though package-manager metadata is easier to read with normal local access. Invoke it as bash check-cve-2026-50262.sh. It checks installed Xorg/Xwayland versions and returns PATCHED, VULNERABLE, or UNKNOWN; UNKNOWN is expected on distros that backport fixes without bumping the upstream version string.

#!/usr/bin/env bash
# check-cve-2026-50262.sh
# Determine likely exposure to CVE-2026-50262 on Linux hosts.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED_XORG="21.1.23"
FIXED_XWAYLAND="24.1.12"
status="PATCHED"
notes=()

ver_lt() {
  [ "$1" = "$2" ] && return 1
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

extract_ver() {
  local bin="$1"
  "$bin" -version 2>&1 | sed -n 's/.*X\.Org X Server \([0-9][0-9.]*\).*/\1/p; s/.*Xwayland \([0-9][0-9.]*\).*/\1/p' | head -n1
}

pkg_hint() {
  local pkg="$1"
  if command -v dpkg-query >/dev/null 2>&1; then
    dpkg-query -W -f='${Version}\n' "$pkg" 2>/dev/null && return 0
  fi
  if command -v rpm >/dev/null 2>&1; then
    rpm -q --qf '%{VERSION}-%{RELEASE}\n' "$pkg" 2>/dev/null && return 0
  fi
  if command -v pacman >/dev/null 2>&1; then
    pacman -Q "$pkg" 2>/dev/null | awk '{print $2}' && return 0
  fi
  return 1
}

check_component() {
  local name="$1"
  local bin="$2"
  local fixed="$3"
  local pkg1="$4"
  local pkg2="$5"
  local ver=""
  local pver=""

  if command -v "$bin" >/dev/null 2>&1; then
    ver="$(extract_ver "$bin")"
  fi

  if [ -z "$ver" ]; then
    if [ -n "$pkg1" ]; then pver="$(pkg_hint "$pkg1" 2>/dev/null || true)"; fi
    if [ -z "$pver" ] && [ -n "$pkg2" ]; then pver="$(pkg_hint "$pkg2" 2>/dev/null || true)"; fi
  fi

  if [ -z "$ver" ] && [ -z "$pver" ]; then
    notes+=("$name not found")
    return 0
  fi

  if [ -n "$ver" ]; then
    notes+=("$name binary version: $ver")
    if ver_lt "$ver" "$fixed"; then
      # Distros may backport fixes without changing upstream version strings.
      if [ -n "$pver" ] && echo "$pver" | grep -Eiq '(ubuntu|deb|el[0-9]|fc[0-9]|suse|amzn)'; then
        status="UNKNOWN"
        notes+=("$name appears older than upstream fixed version but distro backport may apply: $pver")
      else
        status="VULNERABLE"
        notes+=("$name is older than upstream fixed version $fixed")
      fi
    else
      notes+=("$name meets or exceeds upstream fixed version $fixed")
    fi
  else
    status="UNKNOWN"
    notes+=("$name package present but binary version could not be parsed: $pver")
  fi
}

check_component "Xorg" "Xorg" "$FIXED_XORG" "xorg-server" "xorg-x11-server-Xorg"
check_component "Xwayland" "Xwayland" "$FIXED_XWAYLAND" "xwayland" "xorg-x11-server-Xwayland"

if [ "$status" = "PATCHED" ]; then
  echo "PATCHED"
  printf '%s\n' "${notes[@]}"
  exit 0
elif [ "$status" = "VULNERABLE" ]; then
  echo "VULNERABLE"
  printf '%s\n' "${notes[@]}"
  exit 1
else
  echo "UNKNOWN"
  printf '%s\n' "${notes[@]}"
  exit 2
fi

Sources

1. Openwall oss-security advisory, June 2 2026
2. Seclists follow-up mapping CVEs to June 2026 X.Org issues
3. X.Org security advisories index
4. X.Org authentication and access control documentation
5. Red Hat CVE page for CVE-2026-50262
6. CISA Known Exploited Vulnerabilities Catalog
7. FIRST EPSS overview
8. Red Hat note on unintended X11 TCP port 6000 exposure