Bug 2459272 (CVE-2026-32105) - CVE-2026-32105 xrdp: xrdp: Data integrity compromised due to missing MAC signature verification in Classic RDP Security
Summary: CVE-2026-32105 xrdp: xrdp: Data integrity compromised due to missing MAC sign...
Keywords:
Status: NEW
Alias: CVE-2026-32105
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2459297 2459298
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-17 20:01 UTC by OSIDB Bzimport
Modified: 2026-06-14 09:56 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-17 20:01:37 UTC 
xrdp is an open source RDP server. In versions through 0.10.5, xrdp does not implement verification for the Message Authentication Code (MAC) signature of encrypted RDP packets when using the "Classic RDP Security" layer. While the sender correctly generates signatures, the receiving logic lacks the necessary implementation to validate the 8-byte integrity signature, causing it to be silently ignored. An unauthenticated attacker with man-in-the-middle (MITM) capabilities can exploit this missing check to modify encrypted traffic in transit without detection. It does not affect connections where the TLS security layer is enforced. This issue has been fixed in version 0.10.6. If users are unable to immediately upgrade, they should configure xrdp.ini to enforce TLS security (security_layer=tls) to ensure end-to-end integrity.
Comment 2 Zephyr Lykos 2026-06-14 09:56:53 UTC 
should be fixed in 13a9c73444715deb923c2d16705971f60823db28
Note You need to log in before you can comment on or make changes to this bug.