Bug 2496165 (CVE-2026-55999) - CVE-2026-55999 xorg: X11: xserver: X.org: glamor Font Atlas Heap Buffer Overflow
Summary: CVE-2026-55999 xorg: X11: xserver: X.org: glamor Font Atlas Heap Buffer Overflow
Keywords:
Status: NEW
Alias: CVE-2026-55999
Deadline: 2026-07-08
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-01 20:21 UTC by OSIDB Bzimport
Modified: 2026-07-13 09:02 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:38486 0 None None None 2026-07-13 09:02:25 UTC
Red Hat Product Errata RHSA-2026:38487 0 None None None 2026-07-13 05:58:08 UTC
Red Hat Product Errata RHSA-2026:38488 0 None None None 2026-07-13 03:55:43 UTC
Red Hat Product Errata RHSA-2026:38489 0 None None None 2026-07-13 04:01:55 UTC
Red Hat Product Errata RHSA-2026:38490 0 None None None 2026-07-13 06:31:58 UTC

Description OSIDB Bzimport 2026-07-01 20:21:13 UTC
glamor_font_get() builds a per-font texture atlas by laying out every glyph in the font into a single backing buffer. It computes the slot dimensions from the font's declared maxbounds, but copies each per-glyph bitmap using the individual glyph's metrics (GLYPHHEIGHTPIXELS/GLYPHWIDTHBYTES macros). There is no check that maxbounds actually bounds the per-glyph values.

When the font is loaded from a malicious PCF file whose per-glyph metrics exceed the file's maxbounds, the per-glyph memcpy writes far beyond the heap-allocated slot, producing a heap buffer overflow with attacker-controlled extent and attacker-controlled content.

An authenticated X client can trigger this by using SetFontPath to add a directory containing a crafted PCF font, loading the font with OpenFont, and drawing text on a glamor-backed drawable. Only servers using the glamor acceleration backend (Xorg with modesetting driver, Xwayland) are affected.

Comment 3 errata-xmlrpc 2026-07-13 03:55:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:38488 https://access.redhat.com/errata/RHSA-2026:38488

Comment 4 errata-xmlrpc 2026-07-13 04:01:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:38489 https://access.redhat.com/errata/RHSA-2026:38489

Comment 5 errata-xmlrpc 2026-07-13 05:58:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:38487 https://access.redhat.com/errata/RHSA-2026:38487

Comment 6 errata-xmlrpc 2026-07-13 06:31:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:38490 https://access.redhat.com/errata/RHSA-2026:38490

Comment 7 errata-xmlrpc 2026-07-13 09:02:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:38486 https://access.redhat.com/errata/RHSA-2026:38486


Note You need to log in before you can comment on or make changes to this bug.