X.Org Server Underflow: Local RCE and DoS Risk

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitydenial-of-servicecwe-191
X.Org Server Underflow: Local RCE and DoS Risk

The National Vulnerability Database has disclosed CVE-2026-33999, an integer underflow vulnerability in the X.Org X server. Specifically, the flaw resides in the XKB compatibility map handling, enabling an attacker with local or remote X11 server access to trigger a buffer read overrun.

This isn’t just a crash; memory-safety violations are on the table. While the immediate impact is a denial of service (DoS), these types of memory corruption issues frequently lead to arbitrary code execution given enough attacker effort. A CVSS score of 7.8 (HIGH) reflects the potential for significant impact, particularly given the low attack complexity and lack of user interaction required once access is established.

For defenders, this means any system running an X.Org X server is a potential target. The attacker’s calculus is straightforward: gain initial access, then exploit this flaw to escalate privileges or disrupt operations. CISO’s need to ensure their patching cadence for core system components, especially those handling graphical interfaces, is aggressive. Don’t dismiss this as ‘just a DoS’ – it’s a gateway to worse.

What This Means For You

  • If your organization utilizes X.Org X servers, prioritize patching immediately to mitigate CVE-2026-33999. Audit systems for unauthorized X11 server access and ensure robust access controls are in place, as this vulnerability can be exploited locally or remotely.
🛡️ Am I exposed to this? Get detection rules for CVE-2026-33999 — Splunk, Sentinel, Elastic, QRadar & more

Related ATT&CK Techniques

T1210 Exploitation of Remote Services Initial Access T1068 Exploitation for Privilege Escalation Privilege Escalation

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

CVE-2026-33999 X.Org XKB Compatibility Map Underflow RCE

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33999 DoS X.Org X server
CVE-2026-33999 Memory Corruption X.Org X server
CVE-2026-33999 Buffer Overflow X.Org X server - XKB compatibility map handling (integer underflow leading to buffer read overrun)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 23, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-41239 — Cross-Site Scripting (XSS)

CVE-2026-41239 — DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79cwe-1289
/SCW Vulnerability Desk /MEDIUM /6.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-41238 — Cross-Site Scripting (XSS)

CVE-2026-41238 — DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79cwe-1321
/SCW Vulnerability Desk /MEDIUM /6.9 /⚑ 3 IOCs /⚙ 3 Sigma

Critical XSS in hackage-server via Malicious .cabal Metadata

CVE-2026-40472 — In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.

vulnerabilityCVEcriticalhigh-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /CRITICAL /9.9 /⚑ 3 IOCs /⚙ 3 Sigma