PT-2026-4947 · Xrdp+3 · Xrdp+3
Published
2025-01-01
·
Updated
2026-06-25
·
CVE-2025-68670
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
xrdp versions prior to 0.10.5
Description
xrdp contains an unauthenticated stack-based buffer overflow. The issue occurs during the pre-authentication Secure Settings Exchange via Client Info PDU (T1210) due to improper bounds checking in the
xrdp wm parse domain information() function. Specifically, the function processes a 512-byte UTF-8 domain into a 256-byte buffer. A remote attacker can exploit this by using crafted UTF-16 domain names that expand during conversion to UTF-8, specifically using a domain name starting with " " followed by more than 256 UTF-8 bytes before the " " delimiter. This allows the attacker to overwrite the stack buffer and the return address to execute arbitrary code. Stack canaries provide partial protection but can be bypassed if the canary value is leaked. Real-world incidents have been reported where attackers used this flaw to gain remote code execution, escalate privileges, and move laterally through networks.Recommendations
Upgrade to version 0.10.5.
Do not rely on stack canary protection on production systems.
Exploit
Fix
RCE
DoS
Memory Corruption
Stack Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linuxmint
Red Os
Ubuntu
Xrdp