Bug 2496165 (CVE-2026-55999)

Summary: CVE-2026-55999 xorg: X11: xserver: X.org: glamor Font Atlas Heap Buffer Overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the glamor_font_get() function of the xorg-x11-server. This vulnerability, a heap buffer overflow, occurs when the server processes a specially crafted PCF font file where individual glyph metrics exceed the declared maximum bounds. An authenticated X client can exploit this by loading a malicious font and drawing text, potentially leading to arbitrary code execution with attacker-controlled content and extent. This affects servers utilizing the glamor acceleration backend, such as Xorg with the modesetting driver and Xwayland.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-07-08   

Description OSIDB Bzimport 2026-07-01 20:21:13 UTC
glamor_font_get() builds a per-font texture atlas by laying out every glyph in the font into a single backing buffer. It computes the slot dimensions from the font's declared maxbounds, but copies each per-glyph bitmap using the individual glyph's metrics (GLYPHHEIGHTPIXELS/GLYPHWIDTHBYTES macros). There is no check that maxbounds actually bounds the per-glyph values.

When the font is loaded from a malicious PCF file whose per-glyph metrics exceed the file's maxbounds, the per-glyph memcpy writes far beyond the heap-allocated slot, producing a heap buffer overflow with attacker-controlled extent and attacker-controlled content.

An authenticated X client can trigger this by using SetFontPath to add a directory containing a crafted PCF font, loading the font with OpenFont, and drawing text on a glamor-backed drawable. Only servers using the glamor acceleration backend (Xorg with modesetting driver, Xwayland) are affected.

Comment 3 errata-xmlrpc 2026-07-13 03:55:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:38488 https://access.redhat.com/errata/RHSA-2026:38488

Comment 4 errata-xmlrpc 2026-07-13 04:01:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:38489 https://access.redhat.com/errata/RHSA-2026:38489

Comment 5 errata-xmlrpc 2026-07-13 05:58:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:38487 https://access.redhat.com/errata/RHSA-2026:38487

Comment 6 errata-xmlrpc 2026-07-13 06:31:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:38490 https://access.redhat.com/errata/RHSA-2026:38490

Comment 7 errata-xmlrpc 2026-07-13 09:02:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:38486 https://access.redhat.com/errata/RHSA-2026:38486