OESA-2026-2681

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2681
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2681.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2681
Upstream
  • CVE-2026-50256
  • CVE-2026-50257
  • CVE-2026-50258
  • CVE-2026-50259
  • CVE-2026-50260
  • CVE-2026-50261
  • CVE-2026-50262
  • CVE-2026-50263
  • CVE-2026-50264
Published
2026-06-12T12:28:46Z
Modified
2026-06-12T12:45:12.167049645Z
Summary
xorg-x11-server security update
Details

X.Org X11 X server

Security Fix(es):

['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in _glXDispChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50256)

['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in _glXDispChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50257)

['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in _glXDispChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50258)

['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in _glXDispChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50259)

A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root.(CVE-2026-50260)

A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root.(CVE-2026-50261)

An out-of-bounds read flaw was found in the X.Org X server and Xwayland in _glXDispChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default.(CVE-2026-50262)

['Hi all,\n\nCVEs have been issued now, please see inline below\n\nOn Tue, Jun 02, 2026 at 10:01:46AM +1000, Peter Hutterer wrote:', "=======================================================================\nX.Org Security Advisory: June 2, 2026 \n\nIssues in X.Org X server prior to 21.1.23 and Xwayland prior to 24.1.12\n=======================================================================\n\nMultiple issues have been found in the X server and Xwayland implementations\npublished by X.Org for which we are releasing security fixes for in\nxorg-server-21.1.23 and xwayland-24.1.12.\n\nNote that CVEs have been requested for these issues but did not get assigned in\ntime for this disclosure.\n\n* Font Alias Stack-based Buffer Overflow\n\n A mismatch between the X server and the libXfont2 library's maximum\n font name length can cause a stack buffer overflow during font alias\n resolution. The server allocates a 256 byte stack buffer but libXfont2's\n alias target name length is 1024 bytes. A font alias name between 257\n and 1023 bytes causes the X server to copy that name into the undersized\n stack buffer without further checks.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:", 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30136)', 'This issue has been assigned CVE-2026-50256', '* XSYNC Use-After-Free in miSyncDestroyFence()\n\n A client that sets up multiple fence triggers can trigger a\n use-after-free function pointer call. An attacker would connect to the\n X server to set up a fence and await that fence, then a second X\n connection destroys the fence, causing the use-after-free.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30159)', 'This issue has been assigned CVE-2026-50257', '* XKB Key Types Stack-based Buffer Overflow\n\n The X server has multiple stack buffers that are sized\n XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify\n or clamp non-canonical key types to XkbMaxShiftLevel. A client can\n change key types to excessive shift levels and trigger three separate\n stack overflows.\n\n This is caused by an incomplete fix of CVE-2025-26597.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30160)', 'This issue has been assigned CVE-2026-50258', '* XKB SetMap Request Stack-based Buffer Overflow\n\n _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256]\n indexed by key type index. The helper function CheckKeyTypes() writes\n to this buffer at a client-controlled offset, allowing a stack buffer\n overflow.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30161)', 'This issue has been assigned CVE-2026-50259', '* XSYNC Use-After-Free in FreeCounter()\n\n A client that sets up multiple SyncCounters and awaits on those\n triggers can trigger a use-after-free when destroying those counters\n via a second client connection.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30163)', 'This issue has been assigned CVE-2026-50260', '* XSYNC Use-After-Free in SyncChangeCounter()\n\n A client that sets up multiple SyncCounters can trigger a use-after-free\n when destroying those counters via a second client connection while\n changing those counters.\n\n Fixed in: xorg-server-21.1.23 and xwayland-24.1.12\n Fix:', 'Found by: Anonymous working with TrendAI Zero Day Initiative.\n (ZDI-CAN-30164)', 'This issue has been assigned CVE-2026-50261', '* GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write\n\n A wrong size validation check in _glXDispChangeDrawableAttributes()\n can read (or write) a client-contr(CVE-2026-50263)

An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root.(CVE-2026-50264)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS-SP1 / xorg-x11-server

Package

Name
xorg-x11-server
Purl
pkg:rpm/openEuler/xorg-x11-server&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.20.11-45.oe2403sp1

Ecosystem specific 

{
    "x86_64": [
        "xorg-x11-server-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-Xdmx-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-Xephyr-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-Xnest-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-Xvfb-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-common-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-debuginfo-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-debugsource-1.20.11-45.oe2403sp1.x86_64.rpm",
        "xorg-x11-server-devel-1.20.11-45.oe2403sp1.x86_64.rpm"
    ],
    "src": [
        "xorg-x11-server-1.20.11-45.oe2403sp1.src.rpm"
    ],
    "aarch64": [
        "xorg-x11-server-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-Xdmx-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-Xephyr-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-Xnest-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-Xvfb-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-common-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-debuginfo-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-debugsource-1.20.11-45.oe2403sp1.aarch64.rpm",
        "xorg-x11-server-devel-1.20.11-45.oe2403sp1.aarch64.rpm"
    ],
    "noarch": [
        "xorg-x11-server-help-1.20.11-45.oe2403sp1.noarch.rpm",
        "xorg-x11-server-source-1.20.11-45.oe2403sp1.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2681.json"

openEuler:24.03-LTS-SP3 / xorg-x11-server

Package

Name
xorg-x11-server
Purl
pkg:rpm/openEuler/xorg-x11-server&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.20.11-45.oe2403sp3

Ecosystem specific 

{
    "src": [
        "xorg-x11-server-1.20.11-45.oe2403sp3.src.rpm"
    ],
    "x86_64": [
        "xorg-x11-server-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-Xdmx-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-Xephyr-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-Xnest-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-Xvfb-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-common-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-debuginfo-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-debugsource-1.20.11-45.oe2403sp3.x86_64.rpm",
        "xorg-x11-server-devel-1.20.11-45.oe2403sp3.x86_64.rpm"
    ],
    "aarch64": [
        "xorg-x11-server-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-Xdmx-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-Xephyr-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-Xnest-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-Xvfb-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-common-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-debuginfo-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-debugsource-1.20.11-45.oe2403sp3.aarch64.rpm",
        "xorg-x11-server-devel-1.20.11-45.oe2403sp3.aarch64.rpm"
    ],
    "noarch": [
        "xorg-x11-server-help-1.20.11-45.oe2403sp3.noarch.rpm",
        "xorg-x11-server-source-1.20.11-45.oe2403sp3.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2681.json"

openEuler:20.03-LTS-SP4 / xorg-x11-server

Package

Name
xorg-x11-server
Purl
pkg:rpm/openEuler/xorg-x11-server&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.20.8-38.oe2003sp4

Ecosystem specific 

{
    "src": [
        "xorg-x11-server-1.20.8-38.oe2003sp4.src.rpm"
    ],
    "x86_64": [
        "xorg-x11-server-1.20.8-38.oe2003sp4.x86_64.rpm",
        "xorg-x11-server-Xephyr-1.20.8-38.oe2003sp4.x86_64.rpm",
        "xorg-x11-server-debuginfo-1.20.8-38.oe2003sp4.x86_64.rpm",
        "xorg-x11-server-debugsource-1.20.8-38.oe2003sp4.x86_64.rpm",
        "xorg-x11-server-devel-1.20.8-38.oe2003sp4.x86_64.rpm"
    ],
    "aarch64": [
        "xorg-x11-server-1.20.8-38.oe2003sp4.aarch64.rpm",
        "xorg-x11-server-Xephyr-1.20.8-38.oe2003sp4.aarch64.rpm",
        "xorg-x11-server-debuginfo-1.20.8-38.oe2003sp4.aarch64.rpm",
        "xorg-x11-server-debugsource-1.20.8-38.oe2003sp4.aarch64.rpm",
        "xorg-x11-server-devel-1.20.8-38.oe2003sp4.aarch64.rpm"
    ],
    "noarch": [
        "xorg-x11-server-help-1.20.8-38.oe2003sp4.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2681.json"

openEuler:22.03-LTS-SP4 / xorg-x11-server

Package

Name
xorg-x11-server
Purl
pkg:rpm/openEuler/xorg-x11-server&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.20.11-44.oe2203sp4

Ecosystem specific 

{
    "src": [
        "xorg-x11-server-1.20.11-44.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "xorg-x11-server-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-Xdmx-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-Xephyr-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-Xnest-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-Xvfb-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-common-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-debuginfo-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-debugsource-1.20.11-44.oe2203sp4.x86_64.rpm",
        "xorg-x11-server-devel-1.20.11-44.oe2203sp4.x86_64.rpm"
    ],
    "aarch64": [
        "xorg-x11-server-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-Xdmx-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-Xephyr-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-Xnest-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-Xvfb-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-common-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-debuginfo-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-debugsource-1.20.11-44.oe2203sp4.aarch64.rpm",
        "xorg-x11-server-devel-1.20.11-44.oe2203sp4.aarch64.rpm"
    ],
    "noarch": [
        "xorg-x11-server-help-1.20.11-44.oe2203sp4.noarch.rpm",
        "xorg-x11-server-source-1.20.11-44.oe2203sp4.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2681.json"