CVE-2026-32624

Name of the Vulnerable Software and Affected Versions xrdp versions prior to 0.10.6

Description A heap-based buffer overflow exists in the logon processing of this open source RDP server. When the domain user separator is configured in the 'xrdp.ini' file, an unauthenticated remote attacker can send a crafted, excessively long username and domain name to overflow the internal buffer. This memory corruption can lead to a Denial of Service (DoS) or unexpected behavior. This issue only affects systems where the domain name separator directive has been intentionally enabled, as it is commented out by default.

Recommendations Update to version 0.10.6. As a temporary workaround, ensure the domain name separator directive in 'xrdp.ini' remains commented out or disabled.