CVE-2026-32624
Heap-Based Buffer Overflow in xrdp Logon Causes DoS
Publication date: 2026-04-17
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neutrinolabs | xrdp | to 0.10.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in xrdp, an open source RDP server, in versions up to 0.10.5. It is a heap-based buffer overflow in the logon processing component. When the domain_user_separator is configured in xrdp.ini, an unauthenticated remote attacker can send a specially crafted, excessively long username and domain name. This input overflows an internal buffer, which can corrupt adjacent memory regions.
The domain_name_separator directive is commented out by default, so systems are only affected if this setting is intentionally enabled. The vulnerability has been fixed in version 0.10.6.
How can this vulnerability impact me? :
The buffer overflow caused by this vulnerability can corrupt memory, which may lead to a Denial of Service (DoS) or cause unexpected behavior in the xrdp server.
Because the attacker can be unauthenticated and remote, this vulnerability could allow disruption of service without requiring prior access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade xrdp to version 0.10.6 or later, where the heap-based buffer overflow issue has been fixed.
Additionally, ensure that the domain_user_separator directive in xrdp.ini is not intentionally configured, as systems are not affected unless this setting is enabled.