Local attackers with a X connection able to provide PCX fonts to the X server xorg-server before 21.2.24 and xwayland before 24.1.13 could cause a heap buffer overflow via SetFont due to missing glyph boundary checks.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-55999 is a heap buffer overflow vulnerability affecting xorg-server (before 21.2.24) and xwayland (before 24.1.13) that allows local attackers with X connection privileges to crash the server or potentially execute arbitrary code by providing malicious PCX fonts. The vulnerability stems from missing glyph boundary checks in the SetFont operation, meaning an attacker can supply specially crafted font data that writes beyond allocated heap memory. This matters because X servers often run with elevated privileges and handle font rendering for all connected clients—a compromise could affect the entire display environment and any applications relying on it. While currently not listed as actively exploited in CISA's KEV catalog, the high CVSS score of 8.5 reflects the severity of heap corruption in privileged processes. Organizations running vulnerable xorg-server or xwayland versions on systems where untrusted users have local X access face significant risk.
Although this CVE does not directly map to specific MITRE ATT&CK techniques in the vulnerability disclosure, Casky's security skills leveraging Claude AI would detect the underlying attack patterns by analyzing suspicious behavior in X server font processing and memory access anomalies. Practitioners using Casky would observe findings related to CWE-122 (Heap-based Buffer Overflow) detection through enhanced reasoning capabilities that correlate buffer overflow indicators with font subsystem activity. Security teams would see alerting patterns associated with Privilege Escalation and Local Access techniques, as the attack requires X connection privileges but can result in code execution. By mapping the root cause (missing boundary validation) to defensive controls, Casky would recommend monitoring X font operations, restricting PCX font sources, and prioritizing patching of xorg-server and xwayland components—enabling practitioners to harden their display environments before malicious font files are leveraged for exploitation.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-55999. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation