CVE-2025-26598

Name
CVE-2025-26598
Description
An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vdb-entry https://access.redhat.com/security/cve/CVE-2025-26598
issue-tracking https://bugzilla.redhat.com/show_bug.cgi?id=2345254
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2500
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2502
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2862
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2865
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2874
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2875
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2861
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2866
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2873
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2879
vendor-advisory https://access.redhat.com/errata/RHSA-2025:2880
vendor-advisory https://access.redhat.com/errata/RHSA-2025:7163
vendor-advisory https://access.redhat.com/errata/RHSA-2025:7165
vendor-advisory https://access.redhat.com/errata/RHSA-2025:7458

Match rules

CPE URI Source package Min version Max version
shopxo >= 0 < 21.1.16
shopxo >= 22.0.0 < 24.1.6
cpe:/o:redhat:enterprise_linux:10.0 shopxo >= 0:24.1.5-3.el10_0 < *
cpe:/o:redhat:rhel_els:7 shopxo >= 0:1.8.0-36.el7_9 < *
cpe:/o:redhat:rhel_els:7 shopxo >= 0:1.20.4-30.el7_9 < *
cpe:/a:redhat:enterprise_linux:8::appstream shopxo >= 0:1.13.1-15.el8_10 < *
cpe:/a:redhat:rhel_aus:8.2::appstream shopxo >= 0:1.9.0-15.el8_2.13 < *
cpe:/a:redhat:rhel_tus:8.4::appstream shopxo >= 0:1.11.0-8.el8_4.12 < *
cpe:/a:redhat:rhel_aus:8.6::appstream shopxo >= 0:1.12.0-6.el8_6.13 < *
cpe:/a:redhat:rhel_eus:8.8::appstream shopxo >= 0:1.12.0-15.el8_8.12 < *
cpe:/a:redhat:enterprise_linux:9::appstream shopxo >= 0:1.14.1-1.el9_5.1 < *
cpe:/a:redhat:enterprise_linux:9::appstream shopxo >= 0:1.20.11-28.el9_6 < *
cpe:/a:redhat:enterprise_linux:9::appstream shopxo >= 0:23.2.7-3.el9_6 < *
cpe:/a:redhat:rhel_e4s:9.0::appstream shopxo >= 0:1.11.0-22.el9_0.13 < *
cpe:/a:redhat:rhel_eus:9.2::appstream shopxo >= 0:1.12.0-14.el9_2.10 < *
cpe:/a:redhat:rhel_eus:9.4::appstream shopxo >= 0:1.13.1-8.el9_4.5 < *

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xwayland edge-community 24.1.6-r0 Simon Zeni <simon@bl4ckb0ne.ca> fixed
xwayland 3.22-community 24.1.6-r0 Simon Zeni <simon@bl4ckb0ne.ca> fixed
xwayland 3.21-community 24.1.6-r0 Simon Zeni <simon@bl4ckb0ne.ca> fixed
xorg-server edge-community 21.1.16-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
xorg-server 3.22-community 21.1.16-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
xorg-server 3.21-community 21.1.16-r0 Natanael Copa <ncopa@alpinelinux.org> fixed