The Zero Day Initiative has published an advisory for a use-after-free vulnerability in X.Org Server that can expose sensitive information to local attackers. The flaw, tracked as CVE-2026-50263, carries a CVSS score of 5.5 and was publicly disclosed on June 24, 2026, following coordinated disclosure that began in April.
Vulnerability Details
The defect resides in the handling of ScreenSaverScreenPrivateRec objects within the CreateSaverWindow code path. According to the advisory, the server fails to validate whether an object exists before operating on it, creating a classic use-after-free condition. An attacker who can execute low-privileged code on the target system can trigger this flaw to read memory contents that should not be accessible.
While the vulnerability itself is rated for confidentiality impact only, the advisory notes that it can be combined with additional vulnerabilities to achieve arbitrary code execution in the context of root. The attack vector is local, requires low privileges, and demands no user interaction.
Scope and Impact
- Affected software: X.Org Server
- Attack vector: Local, low-privilege access required
- Primary impact: Sensitive information disclosure
- Chained impact: Potential root-level code execution when combined with other vulnerabilities
Patch Available
X.Org has issued a fix, with the corrective commit available in the project’s GitLab repository. System administrators running X.Org Server should apply the update promptly, particularly on multi-user systems where untrusted local accounts exist. Given the potential for privilege escalation chains, patching should be treated as a priority even though the standalone CVSS score falls in the medium range.
The vulnerability was reported anonymously to ZDI on April 17, 2026, and the coordinated public release followed on June 24, 2026.