// 1 CRITICAL · 2 ZERO-DAY · 4 CVE · 4 EXPLOIT IN THE LAST 24H
An elementary coding error in X.Org Server allows out-of-bounds reads with potential escalation: the details of ZDI-26-396.

The ZDI-26-396 advisory was published in coordination on June 24, 2026 by Trend Micro's Zero Day Initiative, roughly two months after internal reporting on April 17. The vulnerability affects X.Org Server, a core component of the graphics stack on Linux and Unix-like systems, and stems from a programming error that would have been caught in any routine code review: a reversed comparison operator in the length validation of a GLX request.

Key Takeaways
  • The ZDI-26-396 advisory documents an out-of-bounds read vulnerability in X.Org Server, published with coordinated release on June 24, 2026.
  • The root cause is a reversed comparison operator (< instead of >) in the ChangeDrawableAttributes request length check, allowing malformed requests to bypass validation.
  • Exploitation requires local low-privilege code and can leak sensitive information; full escalation to root requires chaining with other vulnerabilities.
  • Peter Hutterer's patch commit on GitLab.freedesktop.org fixes the flaw and removes obsolete workarounds for Mesa bugs in four related functions.

How a Reversed Operator Bypasses GLX Request Validation

The flaw resides in the handling of the numAttribs field in the __glXDisp_ChangeDrawableAttributes and __glXDispSwap_ChangeDrawableAttributes functions, which manage GLX drawable attribute modifications. According to the ZDI advisory, the issue arises from the "lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure."

The patch commit 6d459e4d by Peter Hutterer, published on GitLab.freedesktop.org, specifies the mechanism precisely: the check tests whether the computed request size is less than client->req_len, but it should test whether it is greater. With the reversed operator, an undersized request — where numAttribs declares more attribute pairs than the actual data contains — passes validation uncaught.

The computed size uses the expression sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3), where the left shift of 3 bits equals a multiplication by 8. When numAttribs is artificially inflated relative to the actual request length, the erroneous check fails to detect the discrepancy, and the DoChangeDrawableAttributes function iterates over attribute pairs starting from the end of the header, reading past the actual request data into adjacent memory.

From Arbitrary Read to Potential Controlled Write

The immediate consequence is an out-of-bounds read from X server memory, exposing sensitive information. The patch commit documents a more severe effect, however: the read can degenerate into an out-of-bounds write when a GLX_EVENT_MASK key is found in the overrun data. In that case, the corresponding value is written into the eventMask field of the pGlxDraw structure, opening the door to controlled manipulation of internal server data structures.

"The check tests whether the computed request size is LESS THAN client->req_len, but should test whether it is GREATER THAN. With the reversed operator, an undersized request passes validation." — Peter Hutterer, commit 6d459e4d

The ZDI advisory characterizes the impact as sensitive information disclosure, with the specific note that an attacker can exploit this vulnerability in combination with other vulnerabilities to execute arbitrary code in the context of root. The source does not document which additional vulnerabilities are required to complete the escalation, nor does it provide details on specific chaining techniques.

The Workaround Context: Why the Bug Stayed Hidden

A notable aspect emerges from the patch commit: the fix does not merely invert the operator, but also removes technical workarounds previously introduced for Mesa bugs in related functions, including GetFBConfigsSGIX, DestroyPixmap, DestroyWindow, and GetDrawableAttributes. These workarounds were implemented to bypass known issues in the open-source graphics driver, but they complicated the auditing path of the GLX code.

The presence of historical compatibility code, often inadequately documented in comments or separated into dedicated functions, constitutes a recurring pattern in the maintenance of mature codebases like X.Org Server. In this case, the workaround likely contributed to obscuring the visibility of the faulty check, which remained unchanged through subsequent code revisions.

What to Do Now

System administrators managing X.Org Server deployments in multi-user environments must verify the availability of the update issued by X.Org. The patch is identifiable by commit 6d459e4d on GitLab.freedesktop.org, which explicitly corrects the reversed length check in ChangeDrawableAttributes.

Operational priorities are threefold. First: update X.Org servers in infrastructure where unprivileged users execute code, particularly graphics virtualization servers and environments with access to X11 sockets. Second: verify that X server builds do not contain prior versions of the GLX code with the faulty check. Third: monitor the freedesktop.org repository for any advisories related to the removal of the Mesa workarounds, which could reveal further issues in the same code area.

The brief does not specify affected X.Org Server versions, nor does it list distributions that have included the patch. No CVE is assigned in the advisory, and no CVSS score is reported. No infrastructure overlaps link the vulnerability to documented attack campaigns.

Frequently Asked Questions

What conditions are required to exploit the vulnerability?

According to the ZDI advisory, the attacker must already have the ability to execute low-privilege code on the target system. The vulnerability is not remote.

Why does a single operator error have high security impact?

The ChangeDrawableAttributes function belongs to the critical path of GLX requests, exposed to all graphics applications. A validation check positioned at this stage acts as a gatekeeper for the entire subsystem; its failure allows arbitrary reads from the memory of the X server process, which typically runs with elevated privileges.

Does the patch only fix the reversed operator?

No: commit 6d459e4d corrects the faulty check and simultaneously removes workarounds for Mesa bugs in four related functions, indicating a broader revision of GLX attribute handling.

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. gitlab.freedesktop.org