CVE-2026-33689
Received Received - Intake
Out-of-Bounds Read in xrdp Causes Remote DoS, Data Leak

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
xrdp is an open source RDP server. Versions through 0.10.5 have an out-of-bounds read vulnerability in the pre-authentication RDP message parsing logic. A remote, unauthenticated attacker can trigger this flaw by sending a specially crafted sequence of packets during the initial connection phase. This vulnerability results from insufficient validation of input buffer lengths before processing dynamic channel communication. Successful exploitation can lead to a denial-of-service (DoS) condition via a process crash or potential disclosure of sensitive information from the service's memory space. This issue has been fixed in version 0.10.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33689
EUVD
EUVD-2026-23516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
neutrinolabs xrdp to 0.10.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in xrdp versions through 0.10.5 can lead to potential disclosure of sensitive information from the service's memory space. Such unauthorized disclosure of sensitive data could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.

Additionally, the denial-of-service condition caused by this vulnerability could affect system availability, which is also a consideration under some compliance frameworks.

However, the provided information does not explicitly detail the compliance impact or mitigation steps related to these standards.

Executive Summary

This vulnerability exists in xrdp, an open source RDP server, in versions up to 0.10.5. It is an out-of-bounds read flaw in the pre-authentication RDP message parsing logic.

A remote, unauthenticated attacker can exploit this by sending a specially crafted sequence of packets during the initial connection phase.

The root cause is insufficient validation of input buffer lengths before processing dynamic channel communication.

Exploitation can cause a denial-of-service (DoS) via process crash or potentially disclose sensitive information from the service's memory.

This vulnerability was fixed in version 0.10.6.

Impact Analysis

If exploited, this vulnerability can lead to a denial-of-service condition by crashing the xrdp process, disrupting remote desktop services.

Additionally, there is a risk of sensitive information disclosure from the service's memory space, which could compromise confidentiality.

Since the attacker can be remote and unauthenticated, the risk is higher as no prior access is needed.

Mitigation Strategies

To mitigate this vulnerability, upgrade the xrdp server to version 0.10.6 or later, where the issue has been fixed.

Since the vulnerability allows remote unauthenticated attackers to cause denial-of-service or information disclosure, restricting access to the xrdp service from untrusted networks can also help reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart