CVE-2025-26594: 
TigerVNC vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-26594) was discovered in X.Org and Xwayland, affecting the root cursor functionality. The vulnerability was disclosed on February 12, 2025, and impacts various versions of X.Org Server and Xwayland implementations. The issue stems from the root cursor being referenced as a global variable in the X server, where if a client frees the root cursor, the internal reference points to freed memory, resulting in a use-after-free condition (CVE Details).

The vulnerability has been assigned a CVSS v3.1 score of 7.8 (High), with the following characteristics: Attack Vector: Local, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, and High impact on Confidentiality, Integrity, and Availability. The technical root cause involves the improper handling of the root cursor's memory management within the X server's global variable space (Ubuntu).

The vulnerability can lead to unauthorized access with high impacts on system confidentiality, integrity, and availability. When successfully exploited, the use-after-free condition could potentially allow an attacker to execute arbitrary code or cause system crashes, particularly affecting systems running X.Org Server or Xwayland (Red Hat Bugzilla).

Multiple vendors have released patches to address this vulnerability. Red Hat has issued security updates for Enterprise Linux versions 7, 8, and 9 through various security advisories. Ubuntu has also released fixes for affected versions of xorg-server and xwayland packages. Debian has addressed the vulnerability in both bullseye and bookworm releases (Red Hat Security, Debian Security).