CVE-2026-55999 is a heap-based buffer overflow in the Glamor 2D acceleration path of X.Org xorg-server and Xwayland, specifically in glamor_font_get() during font atlas construction. The vulnerable logic derives atlas slot dimensions from a font's declared maxbounds values, but copies glyph bitmap data using each glyph's actual metrics without verifying that those per-glyph dimensions are bounded by maxbounds. A specially crafted PCF font can therefore declare small maxbounds while supplying larger per-glyph metrics, causing out-of-bounds writes past the heap-allocated atlas buffer during glyph bitmap copying. The issue is aggravated by negative per-glyph metrics, which can trigger integer wrapping in loop bounds or memcpy size calculations, potentially resulting in extremely large writes. The flaw affects servers using the Glamor backend, including Xorg with the modesetting driver and Xwayland, in versions before xorg-server 21.1.24 and xwayland 24.1.13.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A heap buffer overflow vulnerability in X.Org xorg-server and xwayland triggered via SetFont when processing attacker-provided PCX fonts, caused by missing glyph boundary checks.
A heap buffer overflow and integer-wrapping vulnerability in X.Org xserver's glamor font rendering path, where glamor_font_get() allocates a font atlas using declared maxbounds but copies glyph bitmaps using per-glyph metrics from crafted PCF fonts. Malicious fonts can trigger out-of-bounds writes or size/loop counter wrapping.
Out-of-bounds read vulnerability in the Glamor 2D acceleration component of X.Org Server/Xwayland, triggered via crafted PCF fonts and potentially usable for code execution or information disclosure in certain X server configurations.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.