This security advisory from Red Hat addresses five vulnerabilities in the X.Org X server and xwayland components used in Red Hat Enterprise Linux 7 Extended Lifecycle Support. The issues include an integer underflow causing denial of service (CVE-2026-33999), out-of-bounds reads leading to information disclosure and denial of service (CVE-2026-34000, CVE-2026-34002, CVE-2026-34003), and a use-after-free vulnerability that can cause server crashes and potential memory corruption (CVE-2026-34001). These vulnerabilities stem from improper handling of X Keyboard (XKB) compatibility maps, geometry processing, and modifier maps. Red Hat has released updated xorg-x11-server packages to fix these vulnerabilities. The advisory rates the security impact as Important (high severity).

Successful exploitation of these vulnerabilities could result in denial of service conditions causing the X.Org X server to crash or become unresponsive, potential memory corruption, and unauthorized disclosure of information through out-of-bounds memory reads. These impacts could disrupt graphical user interface functionality on affected Red Hat Enterprise Linux 7 systems. There are no reports of active exploitation in the wild.

Red Hat has released updated xorg-x11-server packages for Red Hat Enterprise Linux 7 Extended Lifecycle Support that address these vulnerabilities. Users should apply the security update as detailed in Red Hat advisory RHSA-2026:20590 and the referenced article https://access.redhat.com/articles/11258 to remediate these issues. Patch status is confirmed by the vendor advisory. No additional mitigation steps are indicated beyond applying the official update.