CVE-2026-50256

HIGH

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root.

CVSS v3.1 Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Complexity

LOW

Privileges

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Published: 6/5/2026Modified: 6/8/2026

Related Intelligence (2)

CRITICALZero Day

Patch Tuesday - June 2026

Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for three. This is similar to last month’s Patch Tuesday, however several of last month’s vulnerabilities ended up on CISA KEV in the days following their publication. So far this month, Microsoft has provide

CVE-2026-33825CVE-2026-45585

3d agoRapid7

HIGHVulnerability

NVD HIGH: CVE-2026-50256 — A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland....

CVE-2026-50256

Jun 5, 2026NIST NVD

References (5)

https://access.redhat.com/security/cve/CVE-2026-50256Vendor Advisory https://bugzilla.redhat.com/show_bug.cgi?id=2485380Issue TrackingVendor Advisory https://gitlab.freedesktop.org/xorg/xserver/-/commit/bb5158f962dc935e58ef8b4b5fcb31be201a6e07Patch https://lists.x.org/archives/xorg-announce/2026-June/003702.htmlMailing ListThird Party Advisory https://redhat.atlassian.net/browse/PSIRTSUPT-16950Permissions Required