Five CVEs, One Very Tired Display Server

On April 14, 2026, the X.Org Foundation shipped xorg-server 21.1.22 and xwayland 24.1.10 to patch five fresh CVEs. Every single one was found by Jan-Niklas Sohn at Trend Micro's Zero Day Initiative — the same researcher who has been quietly carrying the security burden for this codebase for years now. I use Arch, btw, and I still had to `pacman -Syu` xorg-server this week despite running a Wayland session, because Xwayland inherits most of this rot wholesale.

The CVE list reads like an archaeology report. CVE-2026-33999 is an XKB integer underflow that predates X11R6.6 — that release shipped in 2006. CVE-2026-34002 is another XKB out-of-bounds read from the same era. CVE-2026-34001 is an XSYNC use-after-free that has been sitting in the tree since xorg-server 1.9.0 landed in 2010. We are patching bugs older than the Raspberry Pi, older than GitHub, older than most of the people reading this article were out of primary school.

The Bug Class Tells You Everything

Look at what these are: integer underflow, out-of-bounds read, out-of-bounds read again, use-after-free, buffer overflow. This is a C89 codebase doing manual pointer arithmetic on untrusted input over a local socket that trusts every client equally. XKB in particular is a minefield — the keyboard extension parses complex geometry descriptions with nested structures and key alias tables, and it does bounds checking with all the rigor of a 1994 undergraduate operating systems assignment. Because, well, that's roughly when it was written.

Age of Each Patched CVE (years in tree before fix)

The CheckSetGeom() bug (CVE-2026-34000) is the tell. Each key alias entry contains two key names, and the code validates bounds using only the first name. XkbAddGeomKeyAlias then reads uninitialized memory. This is the kind of bug you find when you're the first person to seriously audit a function in fifteen years. And it keeps happening because nobody wants to touch this code — maintainers have openly said X.Org is in maintenance mode, with development centered on Xwayland and the actual compositors living downstream in Mutter, KWin, and wlroots.

GNOME 50 Saw This Coming

This advisory dropped weeks after GNOME 50 'Tokyo' shipped as a Wayland-only release. The X11 session is gone from GNOME. Mutter still supports Xwayland for legacy apps, but the native X11 session — the thing that has been accumulating CVE debt for two decades — is finally out of the tree. KDE Plasma 6 made Wayland the default last year. Fedora Workstation has been Wayland-by-default since Fedora 34. Ubuntu 26.04 LTS, which is about to drop with GNOME 50, will ship Wayland for essentially every desktop user who isn't running proprietary NVIDIA drivers on a pre-Turing GPU.

The holdouts are getting harder to defend. NVIDIA's explicit sync protocol support in the 560+ driver series fixed the last major Wayland blocker for green-team users. XFCE and MATE are working on Wayland ports. Even the screen-recording-on-X11 crowd can now use PipeWire portals on Wayland. The honest answer for why people still run X11 in 2026 is `.xinitrc` muscle memory and `xdotool` scripts.

What You Should Actually Do

Major Linux Distros Shipping Wayland by Default (2026)

Update your xorg-server and xwayland packages. Now. Arch, Fedora, and Debian testing have the patches. Debian stable and Ubuntu LTS will have them in security repos within days if they don't already. If you're running X11 as your session, consider this your annual reminder that the CVE cadence on this codebase is not going to slow down — these bugs keep getting found because nobody has stopped looking. Sohn has personally reported something like thirty X.Org CVEs across recent years. One researcher. The bus factor here is one.

The funnier read is that Xwayland users are affected too, because Xwayland ships the same XKB and XSYNC code paths that have been vulnerable since 2006. Moving to Wayland gets you off the X11 session attack surface, but as long as you run any legacy app through Xwayland, you're still running this code. The only real fix is native Wayland ports — and thankfully, in 2026, almost everything you actually use has one. Firefox, Chromium, VSCode, Steam (via gamescope or native), OBS, Blender, GIMP 3.x, Krita, Kitty, Alacritty, Foot, Ghostty. Run `loginctl show-session $XDG_SESSION_ID -p Type` and make sure it says `wayland`. Then go delete your `.xinitrc`.