An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
Conclusion & alert: CVE-2025-26598 is rated Low Risk (33.3/100): CVSS High severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-05 | 0.06% | 0.02% | -0.03% |
| 2 | 2025-12-16 | 0.04% | 0.06% | +0.01% |
| 3 | 2025-12-14 | — | 0.04% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.8 | 3.1 | HIGH |
|
1.8 | 5.9 | [email protected] |
| 7.8 | 3.1 | HIGH |
|
1.8 | 5.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2025-26598: 2 source package rows (xorg-server, xwayland); 6 state rows across 3 repos (3.21-community, 3.22-community, edge-community); fixed 6, open 0. | https://security.alpinelinux.org/vuln/CVE-2025-26598 |
debian
|
not yet assigned | CVE-2025-26598 not yet assigned priority: Debian including 2 source packages (xorg-server, xwayland), 9 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 8, open 1. | https://security-tracker.debian.org/tracker/CVE-2025-26598 |
gentoo
|
high | CVE-2025-26598: 1 GLSA(s) (202506-04), 2 atom(s) (x11-base/xorg-server, x11-base/xwayland); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2025-26598 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-26598 |
suse
|
medium | CVE-2025-26598 severity moderate: SUSE including 310 source package names (21:xorg-x11-server-21.1.11-150600.5.6.1, 21:xorg-x11-server-Xvfb-21.1.11-150600.5.6.1, …), 394 product×package rows across 58 product lines (Container suse/kiosk/xorg, Image SLES15-SP3-SAPCAL-Azure, … (58 product lines)): Known Affected 231, Fixed 162, Known Not Affected 1. | https://www.suse.com/security/cve/CVE-2025-26598/ |
ubuntu
|
medium | CVE-2025-26598 medium priority: Ubuntu including 7 source packages (xorg, xorg-hwe-16.04, …), 58 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 25, released 17, not-affected 13, needs-triage 3. | https://ubuntu.com/security/CVE-2025-26598 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| tigervnc | tigervnc | — | cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:* |
| x.org | x_server | < 21.1.16 | cpe:2.3:a:x.org:x_server:*:*:*:*:*:*:*:* |
| x.org | xwayland | < 24.1.6 | cpe:2.3:a:x.org:xwayland:*:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 7.0 | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 9.0 | cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* |