This security advisory addresses five vulnerabilities in the xorg-x11-server-Xwayland package used in Red Hat Enterprise Linux 9.4 EUS. The issues include: an integer underflow in XKB compatibility map handling leading to denial of service (CVE-2026-33999); out-of-bounds reads in XKB geometry processing causing information disclosure and denial of service (CVE-2026-34000); a use-after-free vulnerability causing server crashes and potential memory corruption (CVE-2026-34001); out-of-bounds reads in XKB modifier map handling resulting in information disclosure or denial of service (CVE-2026-34002); and out-of-bounds memory access causing information exposure and denial of service (CVE-2026-34003). These vulnerabilities affect the Xwayland server component that allows X clients to run under Wayland. Red Hat has issued updated packages to remediate these vulnerabilities.

Successful exploitation of these vulnerabilities could lead to denial of service conditions causing the X server to crash or become unresponsive, information disclosure through out-of-bounds memory reads, and potential memory corruption due to use-after-free bugs. These impacts could affect system stability and confidentiality of information processed by the X server. No evidence of active exploitation in the wild has been reported.

Red Hat has released updated xorg-x11-server-Xwayland packages for Red Hat Enterprise Linux 9.4 Extended Update Support that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:20560 (https://access.redhat.com/errata/RHSA-2026:20560) and the update instructions at https://access.redhat.com/articles/11258. Applying these official patches fully mitigates the described vulnerabilities. There is no indication that additional mitigation steps are required beyond applying the update.