Critical security update for xwayland: data corruption and crashes possible

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Critical security update for xwayland: data corruption and crashes possible

SUSE-SU-2026:1329-1

Summary

This update fixes multiple critical security issues in xwayland that could allow attackers to cause data corruption or crashes. These issues were identified in the way xwayland handles keyboard settings and synchronization. To stay secure, apply this update as soon as possible by updating your xwayland software.

What to do

Update xwayland to version 24.1.1-150600.5.23.1.

Affected software

Ecosystem	Vendor	Product	Affected versions
openSUSE:Leap 15.6	–	xwayland	< 24.1.1-150600.5.23.1 Fix: upgrade to 24.1.1-150600.5.23.1

Original title

Security update for xwayland

Original description

This update for xwayland fixes the following issues:

- CVE-2026-33999: XKB integer underflow in XkbSetCompatMap() (bsc#1260922).
- CVE-2026-34000: XKB out-of-bounds read in CheckSetGeom() (bsc#1260923).
- CVE-2026-34001: XSYNC use-after-free in miSyncTriggerFence() (bsc#1260924).
- CVE-2026-34002: XKB out-of-bounds read in CheckModifierMap() (bsc#1260925).
- CVE-2026-34003: XKB buffer overflow in CheckKeyTypes() (bsc#1260926).

https://www.suse.com/support/update/announcement/2026/suse-su-20261329-1/ Vendor Advisory
https://bugzilla.suse.com/1260922 Third Party Advisory
https://bugzilla.suse.com/1260923 Third Party Advisory
https://bugzilla.suse.com/1260924 Third Party Advisory
https://bugzilla.suse.com/1260925 Third Party Advisory
https://bugzilla.suse.com/1260926 Third Party Advisory
https://www.suse.com/security/cve/CVE-2026-33999 URL
https://www.suse.com/security/cve/CVE-2026-34000 URL
https://www.suse.com/security/cve/CVE-2026-34001 URL
https://www.suse.com/security/cve/CVE-2026-34002 URL
https://www.suse.com/security/cve/CVE-2026-34003 URL

Published: 14 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026