CVE-2026-50258
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLe
CVSS
7.8
High
EPSS
0.2%
p6
KEV
—
Exploit Today
2
0-100
Published: Jun 5, 2026 · Last modified: Jul 15, 2026 · CWE-121
0.2%EPSS · 30 days0.2%
2026-06-302026-07-17
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root.
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26562
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26566
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26590
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26610
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26709
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28923
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:29844
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36083
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36085
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36086
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36087
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36632
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36633
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36634
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36768
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36791
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36792
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36798
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:38502
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:38810
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-510878.6 HIG94.0%
——28Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/saveParentControlInfo. The manipulation of the argument time leads to stack-based buffer overflow.13dCVE-2025-510885.3 MED92.6%
——28Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/WifiGuestSet. The manipulation of the argument `shareSpeed` leads to stack-based buffer overflow.13dCVE-2025-510855.3 MED92.6%
——28Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/SetSysTimeCfg. The manipulation of the argument `timeZone` and `timeType` leads to stack-based buffer overflow.13dCVE-2021-271378.1 HIG91.8%
——28An issue was discovered in router/upnp/src/ssdp.c in DD-WRT before 45724. An unsafe strcpy in the UPnP handling functionality allows an unauthenticated remote attacker to send a request that would overflow an internal fixed buffer. Exploitation requires the DD-WRT user to enable UPnP (which is off by default, and only listens on internal interfaces by default). This occurs in ssdp_msearch (reachable by an M-SEARCH request).1dCVE-2025-606908.8 HIG89.1%
——27A stack-based buffer overflow exists in the get_merge_ipaddr function of the httpd binary on Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). The function concatenates up to four user-supplied CGI parameters matching <parameter>_0~3 into a fixed-size buffer (a2) without bounds checking. Remote attackers can exploit this vulnerability via specially crafted HTTP requests to execute arbitrary code or cause denial of service without authentication.13dCVE-2026-248818.1 HIG75.3%
——23In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution.3d