SB2026041559 - OpenBSD update for X.org Server

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Integer underflow (CVE-ID: CVE-2026-33999)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an integer underflow in XkbSetCompatMap() when processing a future request after a previously truncated compat buffer left unused space. A local user can gain access to sensitive information.

2) Out-of-bounds read (CVE-ID: CVE-2026-34000)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in CheckSetGeom() when handling key alias entries and validating only the first key name. A local user can gain access to sensitive information.

3) Use-after-free (CVE-ID: CVE-2026-34001)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in miSyncTriggerFence() when walking the list of fences to trigger. A local user can trigger fence processing to cause a denial of service.

The issue occurs because freeing the await resource removes subsequent trigger entries from the list during iteration.

4) Out-of-bounds read (CVE-ID: CVE-2026-34002)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in CheckModifierMap() when parsing client request data without verifying that reads remain within request bounds. A local user disclose sensitive information.

5) Out-of-bounds read (CVE-ID: CVE-2026-34003)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in CheckKeyTypes() when processing a client request without ensuring that reads remain within request bounds. A local user can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• http://www.openbsd.org/errata77.html#034"
• http://www.openbsd.org/errata77.html#034</a></p><p><a
• http://www.openbsd.org/errata78.html#028"
• http://www.openbsd.org/errata78.html#028</a></p><p><a
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.7/common/034_xserver.patch.sig"
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.7/common/034_xserver.patch.sig</a></p><p>
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.8/common/028_xserver.patch.sig</p><p><br></p>