SB2026041597 - SUSE update for xorg-x11-server
Published: April 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Integer underflow (CVE-ID: CVE-2026-33999)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an integer underflow in XkbSetCompatMap() when processing a future request after a previously truncated compat buffer left unused space. A local user can gain access to sensitive information.
2) Out-of-bounds read (CVE-ID: CVE-2026-34000)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in CheckSetGeom() when handling key alias entries and validating only the first key name. A local user can gain access to sensitive information.
3) Use-after-free (CVE-ID: CVE-2026-34001)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in miSyncTriggerFence() when walking the list of fences to trigger. A local user can trigger fence processing to cause a denial of service.
The issue occurs because freeing the await resource removes subsequent trigger entries from the list during iteration.
4) Out-of-bounds read (CVE-ID: CVE-2026-34002)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in CheckModifierMap() when parsing client request data without verifying that reads remain within request bounds. A local user disclose sensitive information.
5) Out-of-bounds read (CVE-ID: CVE-2026-34003)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in CheckKeyTypes() when processing a client request without ensuring that reads remain within request bounds. A local user can gain access to sensitive information.
Remediation
Install update from vendor's website.