Bug 2459272 (CVE-2026-32105)
| Summary: | CVE-2026-32105 xrdp: xrdp: Data integrity compromised due to missing MAC signature verification in Classic RDP Security | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | fedora |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in xrdp, an open-source Remote Desktop Protocol (RDP) server. When using the "Classic RDP Security" layer, xrdp fails to verify the Message Authentication Code (MAC) signature of encrypted RDP packets. This oversight allows an unauthenticated attacker with man-in-the-middle (MITM) capabilities to modify encrypted traffic as it travels between the client and server without being detected, compromising data integrity. This vulnerability does not affect connections where the Transport Layer Security (TLS) security layer is enforced.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2459297, 2459298 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-17 20:01:37 UTC
should be fixed in 13a9c73444715deb923c2d16705971f60823db28 |