The Zero Day Initiative has published an advisory for a medium-severity information disclosure vulnerability in X.Org Server, tracked as CVE-2026-50262, with a CVSS score of 5.5. The flaw was reported to the vendor on April 17, 2026, and the coordinated public advisory followed on June 24, 2026.
Vulnerability Details
The issue resides in the handling of the numAttribs field within the ChangeDrawableAttributes function. The server fails to properly validate user-supplied data before using it to index into an allocated data structure, allowing a read operation to extend past the structure’s intended boundary. This out-of-bounds read can expose sensitive memory contents to a local attacker.
Exploitation Requirements and Impact
Exploitation requires that the attacker already hold the ability to execute low-privileged code on the target system. The vulnerability’s access vector is local, attack complexity is low, and no user interaction is needed. While the flaw itself is rated for confidentiality impact only, the advisory notes that the leaked information could be chained with additional vulnerabilities to achieve arbitrary code execution in a root context.
Remediation
X.Org has issued a patch addressing this vulnerability. Administrators running X.Org Server should apply the upstream fix, which is available in the project’s GitLab repository. Systems that expose X.Org sessions to untrusted local users should treat this patch as a priority, particularly given the potential for chaining toward privilege escalation.
- CVE: CVE-2026-50262
- CVSS Score: 5.5 (Medium)
- Attack Vector: Local, low privilege, no user interaction
- Impact: Information disclosure, chainable toward root code execution
- Patch: Available from X.Org upstream