X.Org and Xwayland Buffer Overflow Vulnerability in Key Symbol Management

A buffer overflow vulnerability has been identified in X.Org and Xwayland. The issue arises in the XkbChangeTypesOfKey() function, which can be called with a group value of 0. This call resizes the key symbols table to 0 while leaving the key actions intact. If the function is subsequently called with a non-zero group value, it leads to a buffer overflow, as the key actions do not match the expected size. This vulnerability affects multiple versions of X.Org and Xwayland on various Red Hat Enterprise Linux distributions.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution or privilege escalation.

Reproduction

To reproduce this vulnerability, call the XkbChangeTypesOfKey() function with a group value of 0. This will resize the key symbols table to 0 while leaving the key actions unchanged. Then, call the function again with a non-zero group value. This sequence of actions will trigger the buffer overflow, as the key actions will be of the incorrect size.

Remediation

Users can apply the available updates for this vulnerability. Instructions for updating can be found in the Red Hat Product Errata RHSA-2025:2500, RHSA-2025:2502, RHSA-2025:2861, RHSA-2025:2862, RHSA-2025:2865, RHSA-2025:2866, RHSA-2025:2873, RHSA-2025:2874, RHSA-2025:2875, RHSA-2025:2879, RHSA-2025:2880, RHSA-2025:7163, RHSA-2025:7165 and RHSA-2025:7458.