Alpine: multiple xorg-server packages: security update to 21.1.22-r0

critical Tenable Self-Hosted Container Security Plugin ID 440433

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB
compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer
read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other
severe impacts. (CVE-2026-33999)

- A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry
processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an
attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server,
either locally or remotely, can exploit this without user interaction. This could lead to the disclosure
of memory contents or cause a denial of service by crashing the server. (CVE-2026-34000)

- A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence
triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the
X11 server can exploit this without user interaction, leading to a server crash and potentially enabling
memory corruption. This could result in a denial of service or further compromise of the system.
(CVE-2026-34001)

- A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X
Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by
sending a malformed request, which causes the server to read beyond its intended memory boundaries. This
can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of
service. (CVE-2026-34002)

- A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a
specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This
could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial
of Service (DoS). In certain configurations, higher impact outcomes may be possible. (CVE-2026-34003)

Solution

Update the xorg-server library and its related packages to version 21.1.22-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-33999

https://security.alpinelinux.org/vuln/CVE-2026-34000

https://security.alpinelinux.org/vuln/CVE-2026-34001

https://security.alpinelinux.org/vuln/CVE-2026-34002

https://security.alpinelinux.org/vuln/CVE-2026-34003

Plugin Details

Severity: Critical

ID: 440433

Version: Revision 1.5

Type: Local

Published: 4/15/2026

Updated: 5/8/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.46

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2026-34002

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Reference Information

CVE: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003