Released yesterday were [1]X.Org Server 21.1.17 and XWayland 24.1.7 to address another batch of six security vulnerabilities reported by security researchers. Out today is X.Org Server 21.1.18 and XWayland 24.1.8 in order to further button up one of the security issues reported yesterday.

Today's XWayland and X.Org Server point releases are for adding an integer overflow check on the BigRequest length as part of addressing CVE-2025-49176, which is around possible integer overflows within the Big Requests Extension. A simple if statement is added to the C code to further fend off possible integer overflow conditions.

So for those interested you can now grab [2]xorg-server 21.1.18 and [3]xwayland 24.1.8 .

As the ERNW security researchers who discovered this latest batch of X.Org Server flaws [4]wrote yesterday:

"The X.Org X server is a aged and large project that grew over time with the help of the open-source community. All of these issues gave me a feeling that the source code itself can best describe: party_like_its_1989 = TRUE;"



[1] https://www.phoronix.com/news/X.Org-Server-21.1.17

[2] https://lists.x.org/archives/xorg/2025-June/062065.html

[3] https://lists.x.org/archives/xorg/2025-June/062066.html

[4] https://insinuator.net/2025/06/disclosure-multiple-vulnerabilities-xserver-xwayland/