Security update for xwayland SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0729-1 Final 1 1 2025-02-26T14:14:28Z current 2025-02-26T14:14:28Z 2025-02-26T14:14:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xwayland This update for xwayland fixes the following issues: - CVE-2025-26594: Use-after-free of the root cursor (bsc#1237427). - CVE-2025-26595: Buffer overflow in XkbVModMaskText() (bsc#1237429). - CVE-2025-26596: Heap overflow in XkbWriteKeySyms() (bsc#1237430). - CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey() (bsc#1237431). - CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient() (bsc#1237432). - CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow() (bsc#1237433). - CVE-2025-26600: Use-after-free in PlayReleasedEvents() (bsc#1237434). - CVE-2025-26601: Use-after-free in SyncInitTrigger() (bsc#1237435). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-729,SUSE-SLE-Product-WE-15-SP6-2025-729,openSUSE-SLE-15.6-2025-729 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ Link for SUSE-SU-2025:0729-1 https://lists.suse.com/pipermail/sle-security-updates/2025-February/020442.html E-Mail link for SUSE-SU-2025:0729-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237427 SUSE Bug 1237427 https://bugzilla.suse.com/1237429 SUSE Bug 1237429 https://bugzilla.suse.com/1237430 SUSE Bug 1237430 https://bugzilla.suse.com/1237431 SUSE Bug 1237431 https://bugzilla.suse.com/1237432 SUSE Bug 1237432 https://bugzilla.suse.com/1237433 SUSE Bug 1237433 https://bugzilla.suse.com/1237434 SUSE Bug 1237434 https://bugzilla.suse.com/1237435 SUSE Bug 1237435 https://www.suse.com/security/cve/CVE-2025-26594/ SUSE CVE CVE-2025-26594 page https://www.suse.com/security/cve/CVE-2025-26595/ SUSE CVE CVE-2025-26595 page https://www.suse.com/security/cve/CVE-2025-26596/ SUSE CVE CVE-2025-26596 page https://www.suse.com/security/cve/CVE-2025-26597/ SUSE CVE CVE-2025-26597 page https://www.suse.com/security/cve/CVE-2025-26598/ SUSE CVE CVE-2025-26598 page https://www.suse.com/security/cve/CVE-2025-26599/ SUSE CVE CVE-2025-26599 page https://www.suse.com/security/cve/CVE-2025-26600/ SUSE CVE CVE-2025-26600 page https://www.suse.com/security/cve/CVE-2025-26601/ SUSE CVE CVE-2025-26601 page SUSE Linux Enterprise Workstation Extension 15 SP6 openSUSE Leap 15.6 xwayland-24.1.1-150600.5.9.1 xwayland-devel-24.1.1-150600.5.9.1 xwayland-24.1.1-150600.5.9.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 xwayland-24.1.1-150600.5.9.1 as a component of openSUSE Leap 15.6 xwayland-devel-24.1.1-150600.5.9.1 as a component of openSUSE Leap 15.6 A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free. CVE-2025-26594 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26594.html CVE-2025-26594 https://bugzilla.suse.com/1237427 SUSE Bug 1237427 A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size. CVE-2025-26595 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26595.html CVE-2025-26595 https://bugzilla.suse.com/1237429 SUSE Bug 1237429 A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow. CVE-2025-26596 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26596.html CVE-2025-26596 https://bugzilla.suse.com/1237430 SUSE Bug 1237430 A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size. CVE-2025-26597 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26597.html CVE-2025-26597 https://bugzilla.suse.com/1237431 SUSE Bug 1237431 An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access. CVE-2025-26598 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26598.html CVE-2025-26598 https://bugzilla.suse.com/1237432 SUSE Bug 1237432 An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later. CVE-2025-26599 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26599.html CVE-2025-26599 https://bugzilla.suse.com/1237433 SUSE Bug 1237433 A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free. CVE-2025-26600 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26600.html CVE-2025-26600 https://bugzilla.suse.com/1237434 SUSE Bug 1237434 A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers. CVE-2025-26601 SUSE Linux Enterprise Workstation Extension 15 SP6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-24.1.1-150600.5.9.1 openSUSE Leap 15.6:xwayland-devel-24.1.1-150600.5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250729-1/ https://www.suse.com/security/cve/CVE-2025-26601.html CVE-2025-26601 https://bugzilla.suse.com/1237435 SUSE Bug 1237435