Use-after-free vulnerability in the XSYNC fence triggering logic of the X.Org X server. The flaw occurs in miSyncTriggerFence() while walking the list of fences to trigger: calling TriggerFence() for the current entry can invoke SyncAwaitTriggerFired(), which frees the entire await resource. This free operation removes all triggers from the await object, including subsequent list entries that miSyncTriggerFence() may still attempt to process, resulting in a use-after-free. An attacker with access to the X11 server can trigger the bug without user interaction, potentially crashing the server and, in some configurations, enabling memory corruption with higher impact.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:10739 https://access.redhat.com/errata/RHSA-2026:10739
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:11352 https://access.redhat.com/errata/RHSA-2026:11352
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:11369 https://access.redhat.com/errata/RHSA-2026:11369
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:11388 https://access.redhat.com/errata/RHSA-2026:11388
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:11656 https://access.redhat.com/errata/RHSA-2026:11656
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:11692 https://access.redhat.com/errata/RHSA-2026:11692
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:13414 https://access.redhat.com/errata/RHSA-2026:13414