Xorg Xorg

  1. Vendors
  2. Xorg

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Xorg product.

RSS Feeds for Xorg security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Xorg products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Xorg Sorted by Most Security Vulnerabilities since 2018

Xorg Server40 vulnerabilities

Xorg X Server31 vulnerabilities

Xorg Xwayland16 vulnerabilities

Xorg Libx1113 vulnerabilities

Xorg X1112 vulnerabilities

Xorg Libxpm6 vulnerabilities

Xorg Xfree865 vulnerabilities

Xorg Libxi3 vulnerabilities

Xorg Libxdmcp1 vulnerability

Xorg X Font Server1 vulnerability

Xorg X Window System1 vulnerability

Xorg X11r61 vulnerability

Xorg Xserver1 vulnerability

Xorg Xterm1 vulnerability

By the Year

In 2025 there have been 13 vulnerabilities in Xorg with an average score of 7.4 out of ten. Last year, in 2024 Xorg had 10 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.33




Year Vulnerabilities Average Score
2025 13 7.43
2024 10 7.76
2023 16 7.03
2022 6 7.53
2021 8 7.95
2020 8 7.38
2019 1 7.80
2018 5 7.84

It may take a day or so for new Xorg vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Xorg Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-62230 Oct 30, 2025
X.Org X Server Xkb Extension Use-After-Free on Client Cleanup A flaw was discovered in the X.Org X servers X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.
Xorg Server
CVE-2025-49177 Jun 17, 2025
X11 XFixes Extension Memory Read via Request Length Omission A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.
Xorg Server
CVE-2025-49178 Jun 17, 2025
X Server 'bytes to ignore' flaw to DoS A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.
Xorg Server
CVE-2025-49180 Jun 17, 2025
Xorg RandR RRChangeProviderProperty Integer Overflow A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.
Xorg Server
CVE-2022-49737 Mar 16, 2025
X.Org X Server 20.11-21.1.16 Input Race via Easystroke In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.
Xorg Server
CVE-2025-26594 Feb 25, 2025
Use-after-Free in X.Org and Xwayland Root Cursor Handling A use-after-free flaw was found in X.Org and Xwayland. The root cursor is referenced in the X server as a global variable. If a client frees the root cursor, the internal reference points to freed memory and causes a use-after-free.
X Server
Xwayland
CVE-2025-26595 Feb 25, 2025
X.Org Xwayland Buffer Overflow via XkbVModMaskText A buffer overflow flaw was found in X.Org and Xwayland. The code in XkbVModMaskText() allocates a fixed-sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code fails to check the bounds of the buffer and would copy the data regardless of the size.
X Server
Xwayland
CVE-2025-26596 Feb 25, 2025
Heap Overflow in X.Org X Server XkbSizeKeySyms Length Calc A heap overflow flaw was found in X.Org and Xwayland. The computation of the length in XkbSizeKeySyms() differs from what is written in XkbWriteKeySyms(), which may lead to a heap-based buffer overflow.
X Server
Xwayland
CVE-2025-26597 Feb 25, 2025
Buffer Overflow in X.Org Xwayland via XkbChangeTypesOfKey() misuse A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.
X Server
Xwayland
CVE-2025-26598 Feb 25, 2025
OOB Write in X.Org/Xwayland via GetBarrierDevice() An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
X Server
Xwayland
Xorg Server
And others...
CVE-2025-26599 Feb 25, 2025
Uninitialized pointer flaw in X.Org X server compCheckRedirect() An access to an uninitialized pointer flaw was found in X.Org and Xwayland. The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without validating the window tree marked just before, which leaves the validated data partly initialized and the use of an uninitialized pointer later.
X Server
Xwayland
CVE-2025-26601 Feb 25, 2025
Use-after-Free in X.Org/Xwayland SyncInitTrigger A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers.
X Server
Xwayland
CVE-2025-26600 Feb 25, 2025
UAF in X.Org/XWayland via orphaned input events A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free.
X Server
Xwayland
CVE-2024-9632 Oct 30, 2024
X.org Server Local Priv Esc via XkbSetCompatMap Buffer Overflow A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
Xorg Server
CVE-2024-31083 Apr 05, 2024
Xorg Server UAF via ProcRenderAddGlyphs() A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.
Xorg Server
CVE-2024-31082 Apr 04, 2024
X.org Server Heap Over-Read in ProcAppleDRICreatePixmap() (CVE-2024-31082) A heap-based buffer over-read vulnerability was found in the X.org server's ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
Xorg Server
CVE-2024-31081 Apr 04, 2024
X.Org X11 Heap Buffer Overread in ProcXIPassiveGrabDevice A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
Xorg Server
CVE-2024-21886 Feb 28, 2024
Heap Buffer Overflow in X.Org Server DisableDevice Function A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.
Xorg Server
Xserver
Xwayland
And others...
CVE-2024-21885 Feb 28, 2024
X.Org Server Heap Buffer Overflow in XISendDeviceHierarchyEvent A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.
Xorg Server
CVE-2024-0229 Feb 09, 2024
X.Org Server OOB Memory Access: Priv Esc & RCE via X11 SSH An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
Xwayland
X Server
CVE-2024-0409 Jan 18, 2024
X.Org Server cursor flaw overwrites SELinux context A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.
Xwayland
Xorg Server
CVE-2024-0408 Jan 18, 2024
X.Org Server GLX PBuffer XACE Hook Missing Leading to SELinux Crash A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.
Xwayland
Xorg Server
CVE-2023-6816 Jan 18, 2024
X.Org Server: Heap Overflow via Button Mapping Bit Misallocation A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
Xwayland
Xorg Server
CVE-2023-6478 Dec 13, 2023
xorg-server Integer Overflow in RR Change Provider/Output Property A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.
Xorg Server
CVE-2023-6377 Dec 13, 2023
Xorg-Server XKB Action OOB RCE Priv Esc A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.
Xorg Server
CVE-2023-5574 Oct 25, 2023
Use-After-Free in Xvfb Zaphod Mode Enables Privilege Escalation A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
Xwayland
X Server
CVE-2023-5380 Oct 25, 2023
Use-After-Free in X.Org X11 Server (Zaphod Mode) Crashes X Server A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.
Xwayland
X Server
CVE-2023-5367 Oct 25, 2023
CVE-2023-5367: OOB Write in Xorg X11 Server XIChangeDeviceProperty A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.
Xwayland
X Server
Xorg Server
And others...
CVE-2023-43789 Oct 12, 2023
LibXpm OOB Read CVE-2023-43789 A vulnerability was found in libXpm where a vulnerability exists due to a boundary condition, a local user can trigger an out-of-bounds read error and read contents of memory on the system.
Libxpm
CVE-2023-43785 Oct 10, 2023
libX11 OOB Read via _XkbReadKeySyms A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.
Libx11
CVE-2023-43787 Oct 10, 2023
Local Int Overflow in XCreateImage() of libX11 (X.Org) Enables Priv Escalation A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.
Libx11
CVE-2023-43786 Oct 10, 2023
libX11 Denial of Service via Infinite Loop in PutSubImage A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.
Libx11
CVE-2023-43788 Oct 10, 2023
Local OOB Read in libXpm XpmCreateXpmImageFromBuffer A vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. This flaw allows a local attacker to trigger an out-of-bounds read error and read the contents of memory on the system.
Libxpm
CVE-2023-3138 Jun 28, 2023
A vulnerability was found in libX11 A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.
Libx11
CVE-2023-1393 Mar 30, 2023
A flaw was found in X.Org Server Overlay Window A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.
Xorg Server
CVE-2023-0494 Mar 27, 2023
A vulnerability was found in X.Org A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.
X Server
CVE-2022-4883 Feb 07, 2023
A flaw was found in libXpm A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
Libxpm
CVE-2022-46285 Feb 07, 2023
A flaw was found in libXpm A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.
Libxpm
CVE-2022-44617 Feb 06, 2023
A flaw was found in libXpm A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.
Libxpm
CVE-2022-4283 Dec 14, 2022
A vulnerability was found in X.Org A vulnerability was found in X.Org. This security flaw occurs because the XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.
Xorg Server
CVE-2022-3553 Oct 17, 2022
A vulnerability, which was classified as problematic, was found in X.org Server A vulnerability, which was classified as problematic, was found in X.org Server. This affects an unknown part of the file hw/xquartz/X11Controller.m of the component xquartz. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier VDB-211053 was assigned to this vulnerability.
X Server
CVE-2022-3551 Oct 17, 2022
A vulnerability, which was classified as problematic, has been found in X.org Server A vulnerability, which was classified as problematic, has been found in X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211052.
X Server
CVE-2022-3550 Oct 17, 2022
A vulnerability classified as critical was found in X.org Server A vulnerability classified as critical was found in X.org Server. Affected by this vulnerability is the function _GetCountedString of the file xkb/xkb.c. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211051.
X Server
CVE-2022-2320 Sep 01, 2022
A flaw was found in the Xorg-x11-server A flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.
Xorg Server
CVE-2022-2319 Sep 01, 2022
A flaw was found in the Xorg-x11-server A flaw was found in the Xorg-x11-server. An out-of-bounds access issue can occur in the ProcXkbSetGeometry function due to improper validation of the request length.
Xorg Server
CVE-2021-4008 Dec 17, 2021
A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14 A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcRenderCompositeGlyphs function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
X Server
CVE-2021-4011 Dec 17, 2021
A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14 A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SwapCreateRegister function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
X Server
CVE-2021-4010 Dec 17, 2021
A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14 A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcScreenSaverSuspend function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
X Server
CVE-2021-4009 Dec 17, 2021
A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14 A flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
X Server
CVE-2021-31535 May 27, 2021
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
Libx11
X Window System
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.