CVE-2026-34000

EUVD-2026-27341

05.05.2026, 16:16

A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server, either locally or remotely, can exploit this without user interaction. This could lead to the disclosure of memory contents or cause a denial of service by crashing the server.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Affected Products (NVD)

Vendor	Product	Version
x.org	x_server	-
redhat	enterprise_linux	6.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
redhat	enterprise_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xorg-server

bookworm	2:21.1.7-3+deb12u12 fixed
bookworm (security)	vulnerable
bullseye	postponed
bullseye (security)	vulnerable
forky	2:21.1.23-1 fixed
sid	2:21.1.23-1 fixed
trixie	2:21.1.16-1.3+deb13u2 fixed
trixie (security)	vulnerable

xwayland

bookworm	ignored
forky	2:24.1.12-1 fixed
sid	2:24.1.12-1 fixed
trixie	ignored

openSUSE / SLES Releases

openSUSE Product

Release

xorg-x11-server

suse enterprise desktop 15 SP7	21.1.15-150700.5.16.1 fixed
suse enterprise sap 15 SP7	21.1.15-150700.5.16.1 fixed
suse enterprise server 12 SP5	1.19.6-10.99.1 fixed
suse enterprise server 15 SP4	1.20.3-150400.38.68.1 fixed
suse enterprise server 15 SP5	21.1.4-150500.7.46.1 fixed
suse enterprise server 15 SP6	21.1.11-150600.5.25.1 fixed
suse enterprise server 15 SP7	21.1.15-150700.5.16.1 fixed

xorg-x11-server-Xvfb

suse enterprise desktop 15 SP7	21.1.15-150700.5.16.1 fixed
suse enterprise sap 15 SP7	21.1.15-150700.5.16.1 fixed
suse enterprise server 15 SP5	21.1.4-150500.7.46.1 fixed
suse enterprise server 15 SP6	21.1.11-150600.5.25.1 fixed
suse enterprise server 15 SP7	21.1.15-150700.5.16.1 fixed

xorg-x11-server-extra

suse enterprise desktop 15 SP7	21.1.15-150700.5.16.1 fixed
suse enterprise sap 15 SP7	21.1.15-150700.5.16.1 fixed
suse enterprise server 12 SP5	1.19.6-10.99.1 fixed
suse enterprise server 15 SP4	1.20.3-150400.38.68.1 fixed
suse enterprise server 15 SP5	21.1.4-150500.7.46.1 fixed
suse enterprise server 15 SP6	21.1.11-150600.5.25.1 fixed
suse enterprise server 15 SP7	21.1.15-150700.5.16.1 fixed

xorg-x11-server-sdk

suse enterprise server 15 SP4	1.20.3-150400.38.68.1 fixed
suse enterprise server 15 SP5	21.1.4-150500.7.46.1 fixed
suse enterprise server 15 SP6	21.1.11-150600.5.25.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

tigervnc

RHEL 8.4 AUS	0:1.11.0-8.el8_4.15 fixed
RHEL 8.6 AUS	0:1.12.0-6.el8_6.17 fixed
RHEL 8.8 E4S	0:1.12.0-15.el8_8.17 fixed
RHEL 8.8 TUS	0:1.12.0-15.el8_8.17 fixed
RHEL 9	0:1.15.0-7.el9_8.1 fixed

tigervnc-icons

RHEL 8.4 AUS	0:1.11.0-8.el8_4.15 fixed
RHEL 8.6 AUS	0:1.12.0-6.el8_6.17 fixed
RHEL 8.8 E4S	0:1.12.0-15.el8_8.17 fixed
RHEL 8.8 TUS	0:1.12.0-15.el8_8.17 fixed
RHEL 9	0:1.15.0-7.el9_8.1 fixed

tigervnc-license

RHEL 8.4 AUS	0:1.11.0-8.el8_4.15 fixed
RHEL 8.6 AUS	0:1.12.0-6.el8_6.17 fixed
RHEL 8.8 E4S	0:1.12.0-15.el8_8.17 fixed
RHEL 8.8 TUS	0:1.12.0-15.el8_8.17 fixed
RHEL 9	0:1.15.0-7.el9_8.1 fixed

tigervnc-selinux

RHEL 8.4 AUS	0:1.11.0-8.el8_4.15 fixed
RHEL 8.6 AUS	0:1.12.0-6.el8_6.17 fixed
RHEL 8.8 E4S	0:1.12.0-15.el8_8.17 fixed
RHEL 8.8 TUS	0:1.12.0-15.el8_8.17 fixed
RHEL 9	0:1.15.0-7.el9_8.1 fixed

tigervnc-server

RHEL 8.4 AUS	0:1.11.0-8.el8_4.15 fixed
RHEL 8.6 AUS	0:1.12.0-6.el8_6.17 fixed
RHEL 8.8 E4S	0:1.12.0-15.el8_8.17 fixed
RHEL 8.8 TUS	0:1.12.0-15.el8_8.17 fixed
RHEL 9	0:1.15.0-7.el9_8.1 fixed

tigervnc-server-minimal

RHEL 8.4 AUS	0:1.11.0-8.el8_4.15 fixed
RHEL 8.6 AUS	0:1.12.0-6.el8_6.17 fixed
RHEL 8.8 E4S	0:1.12.0-15.el8_8.17 fixed
RHEL 8.8 TUS	0:1.12.0-15.el8_8.17 fixed
RHEL 9	0:1.15.0-7.el9_8.1 fixed

tigervnc-server-module

RHEL 8.4 AUS	0:1.11.0-8.el8_4.15 fixed
RHEL 8.6 AUS	0:1.12.0-6.el8_6.17 fixed
RHEL 8.8 E4S	0:1.12.0-15.el8_8.17 fixed
RHEL 8.8 TUS	0:1.12.0-15.el8_8.17 fixed
RHEL 9	0:1.15.0-7.el9_8.1 fixed

xorg-x11-server-Xdmx

RHEL 8.4 AUS	0:1.20.10-4.el8_4 fixed
RHEL 8.6 AUS	0:1.20.11-7.el8_6 fixed
RHEL 8.6 E4S	0:1.20.11-7.el8_6 fixed
RHEL 8.6 TUS	0:1.20.11-7.el8_6 fixed
RHEL 8.8 E4S	0:1.20.11-18.el8_8 fixed
RHEL 8.8 TUS	0:1.20.11-18.el8_8 fixed

xorg-x11-server-Xephyr

RHEL 8.4 AUS	0:1.20.10-4.el8_4 fixed
RHEL 8.6 AUS	0:1.20.11-7.el8_6 fixed
RHEL 8.6 E4S	0:1.20.11-7.el8_6 fixed
RHEL 8.6 TUS	0:1.20.11-7.el8_6 fixed
RHEL 8.8 E4S	0:1.20.11-18.el8_8 fixed
RHEL 8.8 TUS	0:1.20.11-18.el8_8 fixed

xorg-x11-server-Xnest

RHEL 8.4 AUS	0:1.20.10-4.el8_4 fixed
RHEL 8.6 AUS	0:1.20.11-7.el8_6 fixed
RHEL 8.6 E4S	0:1.20.11-7.el8_6 fixed
RHEL 8.6 TUS	0:1.20.11-7.el8_6 fixed
RHEL 8.8 E4S	0:1.20.11-18.el8_8 fixed
RHEL 8.8 TUS	0:1.20.11-18.el8_8 fixed

xorg-x11-server-Xorg

RHEL 8.4 AUS	0:1.20.10-4.el8_4 fixed
RHEL 8.6 AUS	0:1.20.11-7.el8_6 fixed
RHEL 8.6 E4S	0:1.20.11-7.el8_6 fixed
RHEL 8.6 TUS	0:1.20.11-7.el8_6 fixed
RHEL 8.8 E4S	0:1.20.11-18.el8_8 fixed
RHEL 8.8 TUS	0:1.20.11-18.el8_8 fixed

xorg-x11-server-Xvfb

RHEL 8.4 AUS	0:1.20.10-4.el8_4 fixed
RHEL 8.6 AUS	0:1.20.11-7.el8_6 fixed
RHEL 8.6 E4S	0:1.20.11-7.el8_6 fixed
RHEL 8.6 TUS	0:1.20.11-7.el8_6 fixed
RHEL 8.8 E4S	0:1.20.11-18.el8_8 fixed
RHEL 8.8 TUS	0:1.20.11-18.el8_8 fixed

xorg-x11-server-Xwayland

RHEL 8.4 AUS

0:1.20.10-4.el8_4

fixed

xorg-x11-server-common

RHEL 8.4 AUS	0:1.20.10-4.el8_4 fixed
RHEL 8.6 AUS	0:1.20.11-7.el8_6 fixed
RHEL 8.6 E4S	0:1.20.11-7.el8_6 fixed
RHEL 8.6 TUS	0:1.20.11-7.el8_6 fixed
RHEL 8.8 E4S	0:1.20.11-18.el8_8 fixed
RHEL 8.8 TUS	0:1.20.11-18.el8_8 fixed

Amazon Linux Releases

Amazon Package

Release

tigervnc

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-debuginfo

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-debugsource

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-icons

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-license

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-selinux

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-server

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-server-debuginfo

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-server-minimal

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-server-minimal-debuginfo

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-server-module

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

tigervnc-server-module-debuginfo

Amazon Linux 2023

0:1.14.1-3.amzn2023.0.5

fixed

xorg-x11-server-Xephyr

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xephyr-debuginfo

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xnest

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xnest-debuginfo

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xorg

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xorg-debuginfo

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xvfb

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xvfb-debuginfo

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-Xwayland

Amazon Linux 2023

0:24.1.3-1.amzn2023.0.4

fixed

xorg-x11-server-Xwayland-debuginfo

Amazon Linux 2023

0:24.1.3-1.amzn2023.0.4

fixed

xorg-x11-server-Xwayland-debugsource

Amazon Linux 2023

0:24.1.3-1.amzn2023.0.4

fixed

xorg-x11-server-Xwayland-devel

Amazon Linux 2023

0:24.1.3-1.amzn2023.0.4

fixed

xorg-x11-server-common

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-debuginfo

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-debugsource

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-devel

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

xorg-x11-server-source

Amazon Linux 2023

0:21.1.13-5.amzn2023.0.9

fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://access.redhat.com/errata/RHSA-2026:19342

https://access.redhat.com/errata/RHSA-2026:20547

https://access.redhat.com/errata/RHSA-2026:20555

https://access.redhat.com/errata/RHSA-2026:20557

https://access.redhat.com/errata/RHSA-2026:20558

https://access.redhat.com/errata/RHSA-2026:20560

https://access.redhat.com/errata/RHSA-2026:20561

https://access.redhat.com/errata/RHSA-2026:20562

https://access.redhat.com/errata/RHSA-2026:20563

https://access.redhat.com/errata/RHSA-2026:20575

https://access.redhat.com/errata/RHSA-2026:20576

https://access.redhat.com/errata/RHSA-2026:20590

https://access.redhat.com/errata/RHSA-2026:21699

https://access.redhat.com/errata/RHSA-2026:21712

https://access.redhat.com/errata/RHSA-2026:21715

https://access.redhat.com/errata/RHSA-2026:21716

https://access.redhat.com/errata/RHSA-2026:21718

https://access.redhat.com/errata/RHSA-2026:21741

https://access.redhat.com/errata/RHSA-2026:21742

https://access.redhat.com/errata/RHSA-2026:22424

https://access.redhat.com/errata/RHSA-2026:22456

https://access.redhat.com/errata/RHSA-2026:23254

https://access.redhat.com/errata/RHSA-2026:23255

https://access.redhat.com/errata/RHSA-2026:23496

https://access.redhat.com/errata/RHSA-2026:24341

https://access.redhat.com/security/cve/CVE-2026-34000

https://bugzilla.redhat.com/show_bug.cgi?id=2451107