// 6 ZERO-DAY · 8 CVE · 4 EXPLOIT IN THE LAST 24H
A use-after-free vulnerability in the CommonMakeCurrent function allows a local attacker to escalate privileges to root. The flaw was publicly disclosed on July 15, 2026.

On July 15, 2026, the Trend Micro Zero Day Initiative published advisory ZDI-26-405 detailing a vulnerability in X.Org Server, the longstanding display server for Linux and Unix systems. The same day, a patch commit signed by Peter Hutterer on the GitLab FreeDesktop repository revealed the exact trigger mechanics. The flaw, tracked as CVE-2026-56000 with a CVSS score of 7.8, affects the GLX subsystem.

Key Takeaways
  • The vulnerability resides in the CommonMakeCurrent function of the X.Org Server GLX extension and allows local privilege escalation to root.
  • The mechanism is a use-after-free caused by reallocation of the contextTags array, which invalidates a stale pointer subsequently dereferenced for a write operation.
  • The trigger condition requires creating 17 distinct GLX contexts to exhaust the initial 16 array slots and force dynamic reallocation.
  • X.Org has published the patch commit (2779affb) with regression tests that reproduce the bug; credit goes to an anonymous researcher in coordination with ZDI.

The Mechanism: How a Stale Pointer Becomes Arbitrary Write

The root of the flaw lies in the interaction between two functions in the GLX subsystem. When CommonMakeCurrent() manages a rendering context, it stores a pointer to an element of the cl->contextTags array in oldTag. If CommonMakeNewCurrent() calls GlxAllocContextTag() and the latter finds all 16 initial slots occupied, it executes a realloc() of the array. The oldTag pointer, however, continues to point to the original address. The subsequent call to GlxFreeContextTag(oldTag) then writes into already-freed memory.

The patch commit (2779affb), authored by Peter Hutterer with credit to "Anonymous working with Trend Micro Zero Day Initiative," explicitly describes this sequence. The regression tests attached to the commit reproduce the bug by creating 17 GLX contexts, making the first 16 current with oldContextTag=0 to occupy the slots, then executing a switch that forces the reallocation.

"oldTag in CommonMakeCurrent() is a pointer to cl->contextTags[...]. CommonMakeCurrent() may realloc(cl->contextTags) and thus move the array. If we then GlxFreeContextTag(oldTag) we end up writing into freed memory." — GitLab Commit 2779affb, Peter Hutterer

The Trigger Condition: The Mathematics of 16 Slots

The 16 initial contextTags slots suffice for most use cases, but an attacker controlling the number of created contexts can force this threshold to be exceeded. The 17 contexts in the regression test represent the minimum condition to trigger the reallocation that exposes the dangling pointer.

This structure makes the vulnerability particularly insidious because it requires neither complex race conditions nor malformed inputs. The MakeCurrent operation is legitimate and frequent; it is its combination with a specific allocation pattern that generates the memory corruption. Advisory ZDI-26-405 emphasizes that the attacker "must first obtain the ability to execute low-privileged code on the target system," which restricts the vector to local contexts.

Who Is at Risk and Why the Display Server Matters

X.Org Server remains the reference display server for Linux and Unix installations that have not yet migrated to Wayland or that depend on legacy applications with GLX requirements. Servers with restricted access but graphical capabilities, shared workstations, and infrastructures running graphical applications with separate privileges: all these scenarios expose a surface where a user process can interact with the X server.

The CVSS 7.8 assigned by ZDI to CVE-2026-56000 reflects the vulnerability's high impact. The full CVSS vector detail is not available in the sources consulted. Advisory ZDI-26-405 indicates the exploit allows "arbitrary code execution in the context of root."

The Disclosure and Source Limitations

The disclosure timeline shows a vendor report dated May 29, 2026, and a coordinated public release on July 15, 2026. The GitLab commit includes the bug description, references to ZDI-CAN-30561, and the tests documenting the trigger condition.

This article is based on advisory ZDI-26-405 and the official patch commit; no information is available on specific affected versions or in-the-wild exploits. The available sources show no indication of a public exploit at the time of writing.

What to Do Now

  • Apply patch commit 2779affb on systems that compile X.Org Server from source.
  • Await updates from Linux distributions that maintain precompiled X.Org Server packages.
  • Check distribution changelogs to verify if CVE-2026-56000 is listed among applied fixes.

Analysis: The Stale Pointer Pattern in Legacy Code

CVE-2026-56000 illustrates a recurring pattern in system software: a pointer preserved across a realloc operation that can move the referenced memory region. In this specific case, the oldTag pointer in CommonMakeCurrent() survives the call to GlxAllocContextTag() without being recalculated, creating the use-after-free condition.

The patch resolves the issue by recalculating the pointer after the operation that may reallocate the array. The regression tests attached to the commit provide a reproducible procedure to trigger the bug, which can be used to verify the fix's effectiveness.

This analysis is limited to verifiable facts from the cited sources. The brief provides no information on other related vulnerabilities or attack campaigns exploiting this specific flaw.

Information has been verified against cited sources and is current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. gitlab.freedesktop.org