This advisory covers five distinct vulnerabilities in the xorg-x11-server-Xwayland package, which is an X server for running X clients under Wayland. The issues include: CVE-2026-33999, a denial of service caused by an integer underflow in XKB compatibility map handling; CVE-2026-34000, information disclosure and denial of service via out-of-bounds read in XKB geometry processing; CVE-2026-34001, a use-after-free vulnerability that can cause server crashes and potential memory corruption; CVE-2026-34002, information disclosure or denial of service via out-of-bounds read in XKB modifier map handling; and CVE-2026-34003, information exposure and denial of service via out-of-bounds memory access. These vulnerabilities affect multiple architectures and Red Hat Enterprise Linux variants, including Extended Update Support versions. The vendor has released updated packages to remediate these issues.

Successful exploitation of these vulnerabilities could lead to denial of service conditions causing the X server to crash or become unresponsive. Additionally, some vulnerabilities allow information disclosure through out-of-bounds memory reads, potentially exposing sensitive data. The use-after-free vulnerability may also lead to memory corruption, which could destabilize the server. There are no known exploits in the wild at this time. The impact is rated as high by Red Hat Product Security.

Red Hat has released updated xorg-x11-server-Xwayland packages that address these vulnerabilities. Users and administrators should apply the security update as soon as possible by following the instructions in the Red Hat advisory RHSA-2026:20561 and the referenced article https://access.redhat.com/articles/11258. No alternative mitigations or workarounds are specified. Applying the official update fully remediates the vulnerabilities.