X.Org is Still Alive and Just Fixed Five New Security Flaws

X.Org Server and Xwayland have received new security updates addressing five recently disclosed vulnerabilities in this long-standing but still maintained display stack.

The issues impact X.Org Server versions earlier than 21.1.22 and Xwayland versions prior to 24.1.10. Tracked as CVE-2026-33999 through CVE-2026-34003, the flaws include an XKB integer underflow, two out-of-bounds reads in XKB, a use-after-free issue in XSYNC, and an XKB buffer overflow.

These vulnerabilities have been resolved in the latest releases: xorg-server 21.1.22 and xwayland 24.1.10. Although modern Linux desktop development has largely shifted toward Wayland, X.Org continues to receive maintenance updates focused primarily on security rather than new features.

This ongoing support remains important because Xwayland still plays a critical role in today’s Linux environments. Even systems built around Wayland often depend on Xwayland to run legacy X11 applications. As a result, security issues in shared components can impact both X.Org users and Wayland users relying on Xwayland for compatibility.

In short, while X.Org is aging, it continues to receive periodic patches to address newly discovered vulnerabilities, largely because parts of the Linux desktop ecosystem still depend on its legacy infrastructure.

For more details, see the announcements here and here. CVE’s details are here.