Bug 2459312 (CVE-2026-35512)

Summary: CVE-2026-35512 xrdp: xrdp: Remote Code Execution via heap-based buffer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in xrdp, an open-source Remote Desktop Protocol (RDP) server. This heap-based buffer overflow vulnerability, caused by insufficient validation of client-controlled size parameters, allows an out-of-bounds write via crafted Protocol Data Units (PDUs). A remote attacker can exploit this pre-authentication to crash the process, or post-authentication to achieve remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2459619, 2459620    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-17 21:01:46 UTC 
xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediately update, they should run xrdp as a non-privileged user (default since 0.10.2) to limit the impact of successful exploitation.
Comment 3 Zephyr Lykos 2026-06-14 09:54:53 UTC 
should be fixed in 13a9c73444715deb923c2d16705971f60823db28