CVE-2026-35512 - Vulnerability Details

- xrdp: Heap buffer overflow in EGFX channel

Description

xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediately update, they should run xrdp as a non-privileged user (default since 0.10.2) to limit the impact of successful exploitation.

Published: 2026-04-17

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A heap-based buffer overflow exists in the EGFX channel of the xrdp RDP server. The flaw arises from insufficient validation of client‑controlled size fields, allowing an out‑of‑bounds write when the server parses crafted PDUs. When exploited before authentication the process can be crashed, and if authentication succeeds the attacker can achieve remote code execution, thereby obtaining full control of the host. This vulnerability is identified as CWE‑122.

Affected Systems

The issue affects neutrinolabs xrdp server versions 0.10.5 and earlier. The fix was released in version 0.10.6; earlier releases remain vulnerable.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high‑severity flaw with implied network attack vector and no privilege requirement. The EPSS score is not reported, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the most likely attack involves a malicious RDP client sending specially crafted EGFX packets to a publicly exposed xrdp instance; pre‑authentication exploitation can cause a crash, while post‑authentication exploitation enables arbitrary code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

neutrinolabs

xrdp

affected

Version	Status	Constraints
`< 0.10.6`	affected	—

No data.

Vendor Product Confidence Versions

Neutrinolabs

Xrdp

100%

Version	Status	Scheme	Platform
`[0,0.10.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the xrdp server to version 0.10.6 or later to receive the vendor's patch.
Deploy the vulnerability workaround by running xrdp under a non‑privileged user account (enabled by default since 0.10.2) if an upgrade is not immediately feasible.
Restrict inbound RDP access to trusted networks, consider firewall rules, and enforce strong authentication before allowing remote connections to reduce exposure.

Generated by OpenCVE AI on April 18, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0085.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-jg6p-7fg8-9hh6

History

Fri, 17 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Neutrinolabs Neutrinolabs xrdp
Vendors & Products		Neutrinolabs Neutrinolabs xrdp

Fri, 17 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediately update, they should run xrdp as a non-privileged user (default since 0.10.2) to limit the impact of successful exploitation.
Title		xrdp: Heap buffer overflow in EGFX channel
Weaknesses		CWE-122
References		https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-jg6p-7fg8-9hh6
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Neutrinolabs Xrdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-17T20:21:59.868Z

Updated: 2026-04-17T20:21:59.868Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35512

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-17T21:16:33.297

Modified: 2026-04-17T21:16:33.297

Link: CVE-2026-35512

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses

CWE-122

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object