CVE-2025-26600
📋 TL;DR
A use-after-free vulnerability in X.Org and Xwayland allows attackers to potentially execute arbitrary code or cause denial of service when a device is removed while frozen. This affects systems using X.Org Server or Xwayland with graphical sessions. The vulnerability is particularly relevant for multi-user systems and those with hot-pluggable input devices.
💻 Affected Systems
- X.Org Server
- Xwayland
📦 What is this software?
Tigervnc by Tigervnc
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, privilege escalation, or persistent backdoor installation.
Likely Case
Local privilege escalation allowing an attacker to gain elevated privileges on the system.
If Mitigated
Denial of service causing graphical session crashes or instability.
🎯 Exploit Status
Exploitation requires local access and ability to trigger device removal while frozen. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific distribution updates (e.g., Red Hat advisories RHSA-2025:2500, RHSA-2025:2502, etc.)
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:2500
Restart Required: No
Instructions:
1. Update X.Org or Xwayland packages using your distribution's package manager. 2. For RHEL: 'sudo yum update xorg-x11-server* xwayland*'. 3. For Ubuntu/Debian: 'sudo apt update && sudo apt upgrade xserver-xorg-core xwayland'. 4. No restart required, but restart graphical session for changes to take effect.
🔧 Temporary Workarounds
Disable hot-plugging of input devices
allPrevent devices from being removed while frozen by disabling hot-plug functionality.
Not applicable - configuration changes in X.Org configuration files required
🧯 If You Can't Patch
- Restrict physical and remote access to systems with graphical sessions
- Implement strict user privilege separation and limit local user capabilities
🔍 How to Verify
Check if Vulnerable:
Check installed X.Org/Xwayland version against patched versions in vendor advisories.Check Version:
For X.Org: 'Xorg -version'. For Xwayland: 'Xwayland -version'. For packages: 'rpm -q xorg-x11-server' or 'dpkg -l xserver-xorg-core xwayland'Verify Fix Applied:
Verify package version matches patched version from vendor advisory and check for CVE-2025-26600 in changelog.📡 Detection & Monitoring
Log Indicators:
- X.Org/Xwayland crashes in system logs
- Segmentation faults in X server logs
- Unexpected device removal events
Network Indicators:
- None - local exploitation only
SIEM Query:
source="Xorg.log" AND ("segmentation fault" OR "use-after-free" OR "device removed")🔗 References
- https://access.redhat.com/errata/RHSA-2025:2500
- https://access.redhat.com/errata/RHSA-2025:2502
- https://access.redhat.com/errata/RHSA-2025:2861
- https://access.redhat.com/errata/RHSA-2025:2862
- https://access.redhat.com/errata/RHSA-2025:2865
- https://access.redhat.com/errata/RHSA-2025:2866
- https://access.redhat.com/errata/RHSA-2025:2873
- https://access.redhat.com/errata/RHSA-2025:2874
- https://access.redhat.com/errata/RHSA-2025:2875
- https://access.redhat.com/errata/RHSA-2025:2879
- https://access.redhat.com/errata/RHSA-2025:2880
- https://access.redhat.com/errata/RHSA-2025:7163
- https://access.redhat.com/errata/RHSA-2025:7165
- https://access.redhat.com/errata/RHSA-2025:7458
- https://access.redhat.com/security/cve/CVE-2025-26600
- https://bugzilla.redhat.com/show_bug.cgi?id=2345252
- https://lists.debian.org/debian-lts-announce/2025/02/msg00036.html
- https://security.netapp.com/advisory/ntap-20250516-0005/
