Detections
Analytics

Amazon Linux 2 : xorg-x11-server, --advisory ALAS2-2026-3336 (ALAS-2026-3336)

high Nessus Plugin ID 319842

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3336 advisory.

 Font Alias Stack-based Buffer Overflow: A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks.

 XSYNC Use-After-Free in miSyncDestroyFence(): A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free.

 XKB Key Types Stack-based Buffer Overflow: The X server has multiple stack buffers that are sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger three separate stack overflows.

 XKB SetMap Request Stack-based Buffer Overflow: _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow.

 XSYNC Use-After-Free in FreeCounter(): A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection.

 XSYNC Use-After-Free in SyncChangeCounter(): A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters.

 GLX ChangeDrawableAttributes Out-Of-Bounds Read/Write: A wrong size validation check in
 __glXDisp_ChangeDrawableAttributes() can read (or write) a client-controlled number of bytes, exceeding the request buffer. The write path requires byte-swapped clients which is disabled by default. The read can lead to information disclosure, the write can be used to crash the server, or for privilege escalation if the X server runs as root.

 CreateSaverWindow Use-After-Free Information Disclosure: A client can trigger a use-after-free read after changing window attributes and forcing the screen saver. This can lead to information disclosure.

 DRI2 DRIGetBuffers/DRIGetBuffersWithFormat Out-Of-Bounds Write: A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write.

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update xorg-x11-server' or or 'yum update --advisory ALAS2-2026-3336' to update your system.

See Also

https://alas.aws.amazon.com//AL2/ALAS2-2026-3336.html

https://alas.aws.amazon.com/faqs.html

Plugin Details

Severity: High

ID: 319842

File Name: al2_ALAS-2026-3336.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/8/2026

Updated: 6/8/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:xorg-x11-server-xephyr, p-cpe:/a:amazon:linux:xorg-x11-server-debuginfo, p-cpe:/a:amazon:linux:xorg-x11-server-common, p-cpe:/a:amazon:linux:xorg-x11-server-devel, p-cpe:/a:amazon:linux:xorg-x11-server-xdmx, p-cpe:/a:amazon:linux:xorg-x11-server-xwayland, p-cpe:/a:amazon:linux:xorg-x11-server-source, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:xorg-x11-server-xvfb, p-cpe:/a:amazon:linux:xorg-x11-server-xnest, p-cpe:/a:amazon:linux:xorg-x11-server-xorg

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/8/2026

Vulnerability Publication Date: 6/8/2026