This advisory covers five security vulnerabilities in the Xwayland component of the X.Org X server used in Red Hat Enterprise Linux 9.2. The issues include: CVE-2026-33999, a denial of service caused by an integer underflow in XKB compatibility map handling; CVE-2026-34000, information disclosure and denial of service via out-of-bounds read in XKB geometry processing; CVE-2026-34001, a use-after-free vulnerability that can cause server crashes and potential memory corruption; CVE-2026-34002, information disclosure or denial of service via out-of-bounds read in XKB modifier map handling; and CVE-2026-34003, information exposure and denial of service via out-of-bounds memory access. These vulnerabilities affect the handling of keyboard mapping and geometry data within Xwayland. Red Hat has issued patches in the xorg-x11-server-Xwayland package to address these issues.

Successful exploitation of these vulnerabilities could lead to denial of service conditions causing the X server to crash, potential memory corruption, and unauthorized information disclosure through out-of-bounds memory reads. The use-after-free vulnerability (CVE-2026-34001) may also lead to memory corruption, which could impact system stability. These issues affect the Xwayland server component, which facilitates running X clients under Wayland, potentially impacting graphical session stability and confidentiality of certain data processed by the server.

Red Hat has released security updates for the xorg-x11-server-Xwayland package in Red Hat Enterprise Linux 9.2 that address these vulnerabilities. Users should apply these official patches as soon as possible following the guidance in Red Hat advisory RHSA-2026:20547 (https://access.redhat.com/errata/RHSA-2026:20547). No additional mitigation steps are indicated beyond applying the provided updates.