PT-2026-4947 · Xrdp+3 · Xrdp+3

Published

2025-01-01

·

Updated

2026-06-25

·

CVE-2025-68670

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions xrdp versions prior to 0.10.5
Description xrdp contains an unauthenticated stack-based buffer overflow. The issue occurs during the pre-authentication Secure Settings Exchange via Client Info PDU (T1210) due to improper bounds checking in the xrdp wm parse domain information() function. Specifically, the function processes a 512-byte UTF-8 domain into a 256-byte buffer. A remote attacker can exploit this by using crafted UTF-16 domain names that expand during conversion to UTF-8, specifically using a domain name starting with " " followed by more than 256 UTF-8 bytes before the " " delimiter. This allows the attacker to overwrite the stack buffer and the return address to execute arbitrary code. Stack canaries provide partial protection but can be bypassed if the canary value is leaked. Real-world incidents have been reported where attackers used this flaw to gain remote code execution, escalate privileges, and move laterally through networks.
Recommendations Upgrade to version 0.10.5. Do not rely on stack canary protection on production systems.

Exploit

Fix

RCE

DoS

Memory Corruption

Stack Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-00962
CVE-2025-68670
GHSA-RWVG-GP87-GH6F
MGASA-2026-0037
OPENSUSE-SU-2026:10146-1
OPENSUSE-SU-2026:20167-1
SUSE-SU-2026:0404-1
SUSE-SU-2026:0433-1
SUSE-SU-2026:0477-1
USN-8476-1

Affected Products

Linuxmint
Red Os
Ubuntu
Xrdp