CVE-2026-34002 is an out-of-bounds read vulnerability in the X.Org X server's XKB modifier map handling component. An attacker with access to the X11 server can send a malformed request that causes the server to read memory beyond intended boundaries. This can result in exposure of sensitive information or cause the server to crash, leading to denial of service. The issue is part of a set of vulnerabilities affecting X.Org X server and Xwayland, all addressed by Red Hat in security advisories RHSA-2026:20547 and RHSA-2026:20555. The patches are included in updated xorg-x11-server and xorg-x11-server-Xwayland packages for Red Hat Enterprise Linux 9.2 and 9.4 variants, including Extended Update Support and Extended Life Cycle releases. The CVSS 3.1 base score is 6.1, reflecting medium severity with local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity impact, and low availability impact.

Successful exploitation of this vulnerability can lead to disclosure of sensitive information from the server's memory or cause the X.Org X server to crash, resulting in denial of service. The confidentiality impact is high, while integrity is not affected, and availability impact is low. The attack requires local access to the X11 server and low privileges, with no user interaction needed.

Red Hat has released official security updates that address CVE-2026-34002. Users should apply the updated xorg-x11-server and xorg-x11-server-Xwayland packages as provided in Red Hat advisories RHSA-2026:20547 and RHSA-2026:20555. Detailed update instructions are available at https://access.redhat.com/articles/11258. Applying these patches fully mitigates the vulnerability. No additional mitigation steps are indicated by the vendor.