CVE-2025-68670

Name of the Vulnerable Software and Affected Versions xrdp versions prior to 0.10.5

Description xrdp contains an unauthenticated stack-based buffer overflow. The issue occurs during the pre-authentication Secure Settings Exchange via Client Info PDU (T1210) due to improper bounds checking when processing user domain information. Specifically, the xrdp wm parse domain information() function processes a 512-byte UTF-8 domain into a 256-byte buffer. A remote attacker can exploit this by using a crafted domain name starting with " " followed by more than 256 UTF-8 bytes before the " " delimiter, potentially using UTF-16 to UTF-8 conversion differences with Cyrillic characters to maximize expansion. This allows the attacker to overwrite the stack buffer and return address to execute arbitrary code via a ROP chain. Stack canary protection, a security mechanism that places a small value in memory to detect stack buffer overflows, may lessen the impact but can be bypassed if the canary value is leaked.

Recommendations Upgrade to version 0.10.5. Do not rely on stack canary protection on production systems.