On 2 June 2026 the OpenBSD project shipped errata 037 for release 7.8, a security fix that touches four X server extensions: dri2, sync, saver and Xkb. The advisory covers all supported architectures and comes with a signed source patch.
What gets fixed
OpenBSD’s X server is part of Xenocara, the project’s build of the X.Org graphics stack. The errata bundles several bugs spread across those four extensions. The official advisory calls them “multiple vulnerabilities” without spelling out the exact category of each one, and it assigns no CVE identifiers.
These extensions are not new to the trouble list. dri2 handles direct integration with 3D rendering, sync coordinates timing between clients, saver drives the screen saver, and Xkb deals with keyboard layout. All four carry a long record of memory-handling bugs in the X codebase, and they have been a recurring source of locally exploitable flaws.
Who is affected
The problem lives in the X server, so it touches any OpenBSD 7.8 install that runs a graphical environment. If you work only at the console with no X session running, the direct risk is lower.
The relevant vector here is local. A process or user that can already talk to the X server could take advantage of these bugs. By their nature, X extensions are a classic target for privilege escalation or for breaking out of a restricted context, because the server usually runs with elevated permissions. The advisory records no remote exploitation and no active attacks.
Severity
The project does not attach a formal CVSS score to its errata, and there are no public CVEs tied to this one. We rate it medium severity: these are memory-handling bugs with a local vector, no evidence of exploitation in the wild, and no direct remote access. Even so, the track record of X extensions makes it worth patching without delay, especially on multi-user machines or systems where you run third-party software you don’t fully trust.
How to apply the patch
OpenBSD ships the fix as a source patch, not as a binary. The signed file lives at:
https://ftp.openbsd.org/pub/OpenBSD/patches/7.8/common/037_xserver.patch.sigThe usual procedure is to download the patch, verify the signature, apply it to the source tree and rebuild the X server. If you’d rather not compile by hand, syspatch delivers this fix as a binary patch on the architectures where it’s available, which is the easier path for most installs.
After applying it, restart the graphical session so the patched X server takes over.
If you run OpenBSD, check the OpenBSD page for versions and support cycle, and keep the system on a branch that still receives errata.