CVE-2025-26600 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-26600

CVE-2025-26600

February 25, 2025

A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.

Related Resources (19)

https://access.redhat.com/errata/RHSA-2025:7163

https://access.redhat.com/errata/RHSA-2025:2879

https://access.redhat.com/errata/RHSA-2025:2502

https://access.redhat.com/errata/RHSA-2025:7165

https://access.redhat.com/errata/RHSA-2025:2862

https://access.redhat.com/errata/RHSA-2025:2865

https://access.redhat.com/errata/RHSA-2025:7458

https://access.redhat.com/errata/RHSA-2025:2880

https://access.redhat.com/errata/RHSA-2025:2875

https://access.redhat.com/errata/RHSA-2025:2866

https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14

https://access.redhat.com/errata/RHSA-2025:2874

https://lists.debian.org/debian-lts-announce/2025/02/msg00036.html

https://bugzilla.redhat.com/show_bug.cgi?id=2345252

https://access.redhat.com/security/cve/CVE-2025-26600

https://access.redhat.com/errata/RHSA-2025:2873

https://access.redhat.com/errata/RHSA-2025:2861

https://security.netapp.com/advisory/ntap-20250516-0005/

https://access.redhat.com/errata/RHSA-2025:2500

Do you need more information?

CVSS v4

Base Score:

8.5

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Use After Free

EPSS

Base Score:

0.06