CVE-2026-34003

Home/CVE/A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially craft

CVE

A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially craft

A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS).

In certain configurations, higher impact outcomes may be possible.

HIGH · CVSS 7.8 EPSS 5e-05

Schedule remediation

CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2026-34003, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2026-34003

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1068 · Exploitation for Privilege Escalation

▤ Build a SIEM detection for these techniques

▤

CAPEC attack patterns

Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.

CAPEC-CAPEC-540 · Overread Buffers

⬡

Weakness Classification

CWE-125Out-of-bounds Read

📦

Fixed versions by distribution

The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
alpine edgexorg-server fixed in 21.1.22-r0
alpine edgexwayland fixed in 24.1.10-r0
oracle alltigervnc fixed in 0:1.15.0-6.el9_7.1
oracle alltigervnc-icons fixed in 0:1.15.0-6.el9_7.1
oracle alltigervnc-license fixed in 0:1.15.0-6.el9_7.1
oracle alltigervnc-selinux open
oracle alltigervnc-server open
oracle alltigervnc-server-minimal fixed in 0:1.15.0-6.el9_7.1
oracle alltigervnc-server-module fixed in 0:1.15.0-6.el9_7.1
oracle allxorg-x11-server-Xdmx fixed in 0:1.20.11-33.el9_7
oracle allxorg-x11-server-Xephyr fixed in 0:1.20.11-33.el9_7
oracle allxorg-x11-server-Xnest open
oracle allxorg-x11-server-Xorg fixed in 0:1.20.11-33.el9_7
oracle allxorg-x11-server-Xvfb fixed in 0:1.20.11-33.el9_7
oracle allxorg-x11-server-Xwayland fixed in 0:24.1.5-6.el10_1
oracle allxorg-x11-server-Xwayland-devel open
oracle allxorg-x11-server-common fixed in 0:1.20.11-33.el9_7
oracle allxorg-x11-server-devel fixed in 0:1.20.11-33.el9_7
oracle allxorg-x11-server-source open
rhel 8tigervnc fixed in 0:1.15.0-9.el8_10
rhel 8tigervnc-icons fixed in 0:1.15.0-9.el8_10
rhel 8tigervnc-license open
rhel 8tigervnc-selinux fixed in 0:1.15.0-9.el8_10
rhel 8tigervnc-server fixed in 0:1.15.0-9.el8_10
rhel 8tigervnc-server-minimal fixed in 0:1.15.0-9.el8_10
rhel 8tigervnc-server-module open
rhel 8xorg-x11-server-Xdmx open
rhel 8xorg-x11-server-Xephyr fixed in 0:1.20.11-28.el8_10
rhel 8xorg-x11-server-Xnest fixed in 0:1.20.11-28.el8_10
rhel 8xorg-x11-server-Xorg open
rhel 8xorg-x11-server-Xvfb open
rhel 8xorg-x11-server-Xwayland open
rhel 8xorg-x11-server-common open
rhel 8xorg-x11-server-devel fixed in 0:1.20.11-28.el8_10
rhel 8xorg-x11-server-source fixed in 0:1.20.11-28.el8_10
rhel 9tigervnc open
rhel 9tigervnc-icons fixed in 0:1.15.0-7.el9_8.1
rhel 9tigervnc-license fixed in 0:1.15.0-7.el9_8.1
rhel 9tigervnc-selinux open
rhel 9tigervnc-server open
rhel 9tigervnc-server-minimal fixed in 0:1.15.0-7.el9_8.1
rhel 9tigervnc-server-module open
rhel 9xorg-x11-server-Xdmx open
rhel 9xorg-x11-server-Xephyr fixed in 0:1.20.11-34.el9_8
rhel 9xorg-x11-server-Xnest open
rhel 9xorg-x11-server-Xorg open
rhel 9xorg-x11-server-Xvfb fixed in 0:1.20.11-34.el9_8
rhel 9xorg-x11-server-Xwayland fixed in 0:24.1.9-4.el9_8
rhel 9xorg-x11-server-Xwayland-devel fixed in 0:24.1.9-4.el9_8
rhel 9xorg-x11-server-common open
rhel 9xorg-x11-server-devel fixed in 0:1.20.11-34.el9_8
rhel 9xorg-x11-server-source fixed in 0:1.20.11-34.el9_8
suse sle15xorg-x11-server fixed in 0:1.20.3-150400.38.68.1
suse sle15xorg-x11-server-Xvfb fixed in 0:21.1.11-150600.5.25.1
suse sle15xorg-x11-server-extra fixed in 0:1.20.3-150400.38.68.1
suse sle15xorg-x11-server-sdk fixed in 0:1.20.3-150400.38.68.1
suse sle15xwayland fixed in 0:24.1.5-150700.3.14.1

▣

Scoring & Timeline

7.8

HIGH · CVSS v3.1 · [email protected]

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD23 Apr 2026 · 04:16 PM

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

rhsaRHSA-2026:20547Moderate
rhsaRHSA-2026:20557Moderate
rhsaRHSA-2026:20560Moderate
rhsaRHSA-2026:20576Moderate
rhsaRHSA-2026:20575Moderate
Show all 30 vendor advisoriesrhsaRHSA-2026:20563Moderate
rhsaRHSA-2026:20562Moderate
rhsaRHSA-2026:20561Moderate
rhsaRHSA-2026:20558Moderate
rhsaRHSA-2026:20555Moderate
rhsaRHSA-2026:20590Moderate
rhsaRHSA-2026:19342Moderate
rhsaRHSA-2026:21712Moderate
rhsaRHSA-2026:21718Moderate
rhsaRHSA-2026:21716Moderate
rhsaRHSA-2026:21715Moderate
rhsaRHSA-2026:21699Moderate
rhsaRHSA-2026:21742Moderate
rhsaRHSA-2026:22424Moderate
rhsaRHSA-2026:22456Moderate
rhsaRHSA-2026:21741Moderate
rhsaRHSA-2026:23255Moderate
rhsaRHSA-2026:23496Moderate
rhsaRHSA-2026:23254Moderate
rhsaRHSA-2026:24341Moderate
msrcCVE-2026-34003
rhsaRHSA-2026:11692Important
rhsaRHSA-2026:10739Important
rhsaRHSA-2026:13414Important
rhsaRHSA-2026:11656Important

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://access.redhat.com/errata/RHSA-2026:11352

https://access.redhat.com/errata/RHSA-2026:11369

https://access.redhat.com/errata/RHSA-2026:11388

https://access.redhat.com/security/cve/CVE-2026-34003

https://bugzilla.redhat.com/show_bug.cgi?id=2451113

https://access.redhat.com/errata/RHSA-2026:19125

Show all 8 references

https://access.redhat.com/errata/RHSA-2026:19343

https://access.redhat.com/errata/RHSA-2026:19344