CVE-2026-33999 | THREATINT

Description

A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.

PUBLISHED Reserved 2026-03-25 | Published 2026-04-23 | Updated 2026-06-08 | Assigner redhat

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Integer Underflow (Wrap or Wraparound)

Product status

Default status

affected

0:24.1.5-6.el10_1 (rpm) before *

unaffected

Default status

affected

0:24.1.9-4.el10_2 (rpm) before *

unaffected

Default status

affected

0:24.1.5-6.el10_0 (rpm) before *

unaffected

Default status

affected

0:1.1.0-25.el6_10.16 (rpm) before *

unaffected

Default status

affected

0:1.20.4-34.el7_9 (rpm) before *

unaffected

Default status

affected

0:1.8.0-36.el7_9.4 (rpm) before *

unaffected

Default status

affected

0:21.1.3-20.el8_10 (rpm) before *

unaffected

Default status

affected

0:1.20.11-28.el8_10 (rpm) before *

unaffected

Default status

affected

0:1.15.0-9.el8_10 (rpm) before *

unaffected

Default status

affected

0:1.20.10-4.el8_4 (rpm) before *

unaffected

Default status

affected

0:1.11.0-8.el8_4.15 (rpm) before *

unaffected

Default status

affected

0:1.20.10-4.el8_4 (rpm) before *

unaffected

Default status

affected

0:1.11.0-8.el8_4.15 (rpm) before *

unaffected

Default status

affected

0:21.1.3-2.el8_6.6 (rpm) before *

unaffected

Default status

affected

0:1.20.11-7.el8_6 (rpm) before *

unaffected

Default status

affected

0:1.12.0-6.el8_6.17 (rpm) before *

unaffected

Default status

affected

0:1.12.0-6.el8_6.17 (rpm) before *

unaffected

Default status

affected

0:21.1.3-2.el8_6.6 (rpm) before *

unaffected

Default status

affected

0:1.20.11-7.el8_6 (rpm) before *

unaffected

Default status

affected

0:21.1.3-2.el8_6.6 (rpm) before *

unaffected

Default status

affected

0:1.20.11-7.el8_6 (rpm) before *

unaffected

Default status

affected

0:21.1.3-13.el8_8 (rpm) before *

unaffected

Default status

affected

0:1.20.11-18.el8_8 (rpm) before *

unaffected

Default status

affected

0:1.12.0-15.el8_8.17 (rpm) before *

unaffected

Default status

affected

0:21.1.3-13.el8_8 (rpm) before *

unaffected

Default status

affected

0:1.20.11-18.el8_8 (rpm) before *

unaffected

Default status

affected

0:1.12.0-15.el8_8.17 (rpm) before *

unaffected

Default status

affected

0:1.15.0-6.el9_7.1 (rpm) before *

unaffected

Default status

affected

0:23.2.7-6.el9_7 (rpm) before *

unaffected

Default status

affected

0:1.20.11-33.el9_7 (rpm) before *

unaffected

Default status

affected

0:1.15.0-7.el9_8.1 (rpm) before *

unaffected

Default status

affected

0:1.20.11-34.el9_8 (rpm) before *

unaffected

Default status

affected

0:24.1.9-4.el9_8 (rpm) before *

unaffected

Default status

affected

0:21.1.3-5.el9_0 (rpm) before *

unaffected

Default status

affected

0:1.20.11-13.el9_0 (rpm) before *

unaffected

Default status

affected

0:1.11.0-22.el9_0.17 (rpm) before *

unaffected

Default status

affected

0:21.1.3-10.el9_2 (rpm) before *

unaffected

Default status

affected

0:1.20.11-20.el9_2 (rpm) before *

unaffected

Default status

affected

0:1.12.0-14.el9_2.14 (rpm) before *

unaffected

Default status

affected

0:1.20.11-28.el9_4 (rpm) before *

unaffected

Default status

affected

0:22.1.9-8.el9_4 (rpm) before *

unaffected

Default status

affected

0:1.13.1-8.el9_4.9 (rpm) before *

unaffected

Default status

affected

0:1.20.11-33.el9_6 (rpm) before *

unaffected

Default status

affected

0:23.2.7-6.el9_6 (rpm) before *

unaffected

Default status

affected

0:1.14.1-10.el9_6 (rpm) before *

unaffected

Default status

unknown

Timeline

2026-03-25:	Reported to Red Hat.
2026-04-23:	Made public.

Credits

Red Hat would like to thank Jan-Niklas Sohn (TrendAI Zero Day Initiative) for reporting this issue.

References

access.redhat.com/errata/RHSA-2026:10739 (RHSA-2026:10739) vendor-advisory

access.redhat.com/errata/RHSA-2026:11352 (RHSA-2026:11352) vendor-advisory

access.redhat.com/errata/RHSA-2026:11369 (RHSA-2026:11369) vendor-advisory

access.redhat.com/errata/RHSA-2026:11388 (RHSA-2026:11388) vendor-advisory

access.redhat.com/errata/RHSA-2026:11656 (RHSA-2026:11656) vendor-advisory

access.redhat.com/errata/RHSA-2026:11692 (RHSA-2026:11692) vendor-advisory

access.redhat.com/errata/RHSA-2026:13414 (RHSA-2026:13414) vendor-advisory

access.redhat.com/errata/RHSA-2026:19125 (RHSA-2026:19125) vendor-advisory

access.redhat.com/errata/RHSA-2026:19342 (RHSA-2026:19342) vendor-advisory

access.redhat.com/errata/RHSA-2026:19343 (RHSA-2026:19343) vendor-advisory

access.redhat.com/errata/RHSA-2026:19344 (RHSA-2026:19344) vendor-advisory

access.redhat.com/errata/RHSA-2026:20547 (RHSA-2026:20547) vendor-advisory

access.redhat.com/errata/RHSA-2026:20555 (RHSA-2026:20555) vendor-advisory

access.redhat.com/errata/RHSA-2026:20557 (RHSA-2026:20557) vendor-advisory

access.redhat.com/errata/RHSA-2026:20558 (RHSA-2026:20558) vendor-advisory

access.redhat.com/errata/RHSA-2026:20560 (RHSA-2026:20560) vendor-advisory

access.redhat.com/errata/RHSA-2026:20561 (RHSA-2026:20561) vendor-advisory

access.redhat.com/errata/RHSA-2026:20562 (RHSA-2026:20562) vendor-advisory

access.redhat.com/errata/RHSA-2026:20563 (RHSA-2026:20563) vendor-advisory

access.redhat.com/errata/RHSA-2026:20575 (RHSA-2026:20575) vendor-advisory

access.redhat.com/errata/RHSA-2026:20576 (RHSA-2026:20576) vendor-advisory

access.redhat.com/errata/RHSA-2026:20590 (RHSA-2026:20590) vendor-advisory

access.redhat.com/errata/RHSA-2026:21699 (RHSA-2026:21699) vendor-advisory

access.redhat.com/errata/RHSA-2026:21712 (RHSA-2026:21712) vendor-advisory

access.redhat.com/errata/RHSA-2026:21715 (RHSA-2026:21715) vendor-advisory

access.redhat.com/errata/RHSA-2026:21716 (RHSA-2026:21716) vendor-advisory

access.redhat.com/errata/RHSA-2026:21718 (RHSA-2026:21718) vendor-advisory

access.redhat.com/errata/RHSA-2026:21741 (RHSA-2026:21741) vendor-advisory

access.redhat.com/errata/RHSA-2026:21742 (RHSA-2026:21742) vendor-advisory

access.redhat.com/errata/RHSA-2026:22424 (RHSA-2026:22424) vendor-advisory

access.redhat.com/errata/RHSA-2026:22456 (RHSA-2026:22456) vendor-advisory

access.redhat.com/errata/RHSA-2026:23254 (RHSA-2026:23254) vendor-advisory

access.redhat.com/errata/RHSA-2026:23255 (RHSA-2026:23255) vendor-advisory

access.redhat.com/errata/RHSA-2026:23496 (RHSA-2026:23496) vendor-advisory

access.redhat.com/errata/RHSA-2026:24341 (RHSA-2026:24341) vendor-advisory

access.redhat.com/security/cve/CVE-2026-33999 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2451106 (RHBZ#2451106) issue-tracking

cve.org (CVE-2026-33999)

nvd.nist.gov (CVE-2026-33999)

Download JSON