Bug 2451109 (CVE-2026-34001)

Summary: CVE-2026-34001 xorg: xwayland: X.Org X server: Use-after-free vulnerability leads to server crash and potential memory corruption
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2476958, 2476960, 2476961    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-25 07:00:31 UTC 
Use-after-free vulnerability in the XSYNC fence triggering logic of the X.Org X server. The flaw occurs in miSyncTriggerFence() while walking the list of fences to trigger: calling TriggerFence() for the current entry can invoke SyncAwaitTriggerFired(), which frees the entire await resource. This free operation removes all triggers from the await object, including subsequent list entries that miSyncTriggerFence() may still attempt to process, resulting in a use-after-free. An attacker with access to the X11 server can trigger the bug without user interaction, potentially crashing the server and, in some configurations, enabling memory corruption with higher impact.
Comment 4 errata-xmlrpc 2026-04-27 08:29:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:10739 https://access.redhat.com/errata/RHSA-2026:10739
Comment 5 errata-xmlrpc 2026-04-28 11:21:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:11352 https://access.redhat.com/errata/RHSA-2026:11352
Comment 6 errata-xmlrpc 2026-04-28 14:53:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:11369 https://access.redhat.com/errata/RHSA-2026:11369
Comment 7 errata-xmlrpc 2026-04-28 17:58:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:11388 https://access.redhat.com/errata/RHSA-2026:11388
Comment 8 errata-xmlrpc 2026-04-29 12:01:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:11656 https://access.redhat.com/errata/RHSA-2026:11656
Comment 9 errata-xmlrpc 2026-04-29 13:07:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:11692 https://access.redhat.com/errata/RHSA-2026:11692
Comment 10 errata-xmlrpc 2026-05-04 12:29:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:13414 https://access.redhat.com/errata/RHSA-2026:13414
Comment 11 errata-xmlrpc 2026-05-19 16:05:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19125 https://access.redhat.com/errata/RHSA-2026:19125
Comment 12 errata-xmlrpc 2026-05-19 21:36:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19344 https://access.redhat.com/errata/RHSA-2026:19344
Comment 13 errata-xmlrpc 2026-05-19 21:37:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19342 https://access.redhat.com/errata/RHSA-2026:19342
Comment 14 errata-xmlrpc 2026-05-19 21:37:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19343 https://access.redhat.com/errata/RHSA-2026:19343
Comment 15 errata-xmlrpc 2026-05-26 01:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:20562 https://access.redhat.com/errata/RHSA-2026:20562
Comment 16 errata-xmlrpc 2026-05-26 02:48:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:20557 https://access.redhat.com/errata/RHSA-2026:20557
Comment 17 errata-xmlrpc 2026-05-26 03:03:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:20547 https://access.redhat.com/errata/RHSA-2026:20547
Comment 18 errata-xmlrpc 2026-05-26 03:04:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:20560 https://access.redhat.com/errata/RHSA-2026:20560
Comment 19 errata-xmlrpc 2026-05-26 03:18:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:20563 https://access.redhat.com/errata/RHSA-2026:20563
Comment 20 errata-xmlrpc 2026-05-26 03:43:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20561 https://access.redhat.com/errata/RHSA-2026:20561
Comment 21 errata-xmlrpc 2026-05-26 03:50:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20558 https://access.redhat.com/errata/RHSA-2026:20558
Comment 22 errata-xmlrpc 2026-05-26 04:00:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:20575 https://access.redhat.com/errata/RHSA-2026:20575
Comment 23 errata-xmlrpc 2026-05-26 04:31:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:20590 https://access.redhat.com/errata/RHSA-2026:20590
Comment 24 errata-xmlrpc 2026-05-26 04:55:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:20576 https://access.redhat.com/errata/RHSA-2026:20576
Comment 25 errata-xmlrpc 2026-05-26 04:58:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:20555 https://access.redhat.com/errata/RHSA-2026:20555
Comment 26 errata-xmlrpc 2026-05-28 07:49:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:21699 https://access.redhat.com/errata/RHSA-2026:21699
Comment 27 errata-xmlrpc 2026-05-28 09:33:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:21712 https://access.redhat.com/errata/RHSA-2026:21712
Comment 28 errata-xmlrpc 2026-05-28 09:37:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:21715 https://access.redhat.com/errata/RHSA-2026:21715
Comment 29 errata-xmlrpc 2026-05-28 09:44:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:21716 https://access.redhat.com/errata/RHSA-2026:21716
Comment 30 errata-xmlrpc 2026-05-28 09:55:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:21718 https://access.redhat.com/errata/RHSA-2026:21718
Comment 31 errata-xmlrpc 2026-05-28 11:38:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:21741 https://access.redhat.com/errata/RHSA-2026:21741
Comment 32 errata-xmlrpc 2026-05-28 12:02:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:21742 https://access.redhat.com/errata/RHSA-2026:21742