An out-of-bounds write flaw was found in X.Org and Xwayland. The function GetBarrierDevice() searches for the pointer device based on its device ID and returns the matching value, or supposedly NULL, if no match was found. However, the code will return the last element of the list if no matching device ID is found, which can lead to out-of-bounds memory access.
https://bugzilla.redhat.com/show_bug.cgi?id=2345254
https://access.redhat.com/security/cve/CVE-2025-26598
https://access.redhat.com/errata/RHSA-2025:2880
https://access.redhat.com/errata/RHSA-2025:2879
https://access.redhat.com/errata/RHSA-2025:2875
https://access.redhat.com/errata/RHSA-2025:2874
https://access.redhat.com/errata/RHSA-2025:2873
https://access.redhat.com/errata/RHSA-2025:2866
https://access.redhat.com/errata/RHSA-2025:2865
https://access.redhat.com/errata/RHSA-2025:2862
https://access.redhat.com/errata/RHSA-2025:2861