Integer Underflow (Wraparound) vulnerability in the XKB compatibility map handling of the X.Org X server. The issue occurs in XkbSetCompatMap() when a previously truncated “compat” buffer leaves unused space that is later reused without correctly updating the count of valid entries. This can cause internal size/index calculations to become inconsistent and potentially underflow, resulting in a buffer read overrun when subsequent XKB requests are processed. An attacker with access to the X11 server (local or via remote X11 forwarding/SSH tunneling) can trigger the flaw without user interaction, leading to memory-safety violations and potentially a crash or more severe impact depending on how Xorg/Xwayland is deployed.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:10739 https://access.redhat.com/errata/RHSA-2026:10739
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:11352 https://access.redhat.com/errata/RHSA-2026:11352
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:11369 https://access.redhat.com/errata/RHSA-2026:11369
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:11388 https://access.redhat.com/errata/RHSA-2026:11388
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:11656 https://access.redhat.com/errata/RHSA-2026:11656
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:11692 https://access.redhat.com/errata/RHSA-2026:11692
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:13414 https://access.redhat.com/errata/RHSA-2026:13414