This security advisory from Red Hat addresses five vulnerabilities in the xorg-x11-server-Xwayland package, which is an X server for running X clients under Wayland. The vulnerabilities include: CVE-2026-33999, a denial of service caused by an integer underflow in XKB compatibility map handling; CVE-2026-34000, information disclosure and denial of service via out-of-bounds read in XKB geometry processing; CVE-2026-34001, a use-after-free vulnerability causing server crashes and potential memory corruption; CVE-2026-34002, information disclosure or denial of service via out-of-bounds read in XKB modifier map handling; and CVE-2026-34003, information exposure and denial of service via out-of-bounds memory access. These vulnerabilities impact the stability and confidentiality of the X.Org X server when running under Wayland. Red Hat has issued updated packages for Red Hat Enterprise Linux 9.0 across multiple architectures to fix these issues.

The vulnerabilities can lead to denial of service conditions causing the X.Org X server to crash or become unstable. Some vulnerabilities also allow information disclosure through out-of-bounds memory reads. The use-after-free vulnerability may result in memory corruption, potentially affecting system stability or security. These issues impact systems running Xwayland on affected Red Hat Enterprise Linux versions, potentially disrupting graphical sessions or exposing sensitive information handled by the X server.

Red Hat has released updated xorg-x11-server-Xwayland packages that address these vulnerabilities. Users of Red Hat Enterprise Linux 9.0 and related affected products should apply the security update as described in the Red Hat advisory RHSA-2026:20562. Detailed instructions for applying the update are available at https://access.redhat.com/articles/11258. No alternative mitigations or workarounds are indicated in the advisory. Applying the official update is the recommended remediation.