SB2026061550 - Multiple vulnerabilities in xrdp



SB2026061550 - Multiple vulnerabilities in xrdp

Published: June 15, 2026 Updated: July 2, 2026

Security Bulletin ID SB2026061550
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 70% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Observable Response Discrepancy (CVE-ID: CVE-2026-42218)

CWE-ID: CWE-204 - Observable Response Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information via username enumeration.

The vulnerability exists due to observable response discrepancy in the login interface when processing authentication attempts. A remote attacker can measure response timing differences to disclose sensitive information via username enumeration.


2) Buffer over-read (CVE-ID: CVE-2026-55238)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the RDP Confirm Active PDU capability set parser when processing crafted capability negotiation data. A remote attacker can send a specially crafted RDP packet to cause a denial of service.

By default, xrdp forks a new process for each connection, so exploitation is unlikely to bring down the entire service.


3) Missing Authentication for Critical Function (CVE-ID: CVE-2026-55626)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to view or control other users' active desktop sessions.

The vulnerability exists due to improper authentication in the Xvnc backend when initializing an authenticated user session over UNIX domain sockets. A remote attacker can connect to the insufficiently protected Xvnc process to view or control other users' active desktop sessions.

Only systems using the Xvnc backend over UNIX domain sockets are affected; deployments using xorgxrdp or Xvnc over TCP sockets are not affected.


4) Out-of-bounds read (CVE-ID: CVE-2026-44978)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the FIPS-specific receive paths when processing a crafted FIPS-protected PDU. A remote attacker can send a crafted FIPS-protected PDU to cause a denial of service.

The issue is only exploitable when the security layer is set to security_layer=negotiate or security_layer=rdp and the crypto level is set to crypt_level=fips. Because a new process is forked for each connection by default, a crash is unlikely to bring down the entire service.


5) Out-of-bounds read (CVE-ID: CVE-2026-55639)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in the Client Security Data parser when parsing the Client MCS Connect Initial PDU with GCC Conference Create Request during the connection sequence. A remote attacker can send a specially crafted RDP packet containing malformed data to disclose sensitive information.

The issue may read a small number of bytes beyond the declared data block boundary during the initial capability and security negotiation phase.


6) Out-of-bounds read (CVE-ID: CVE-2026-55645)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in Client Control PDU processing when parsing a specially crafted truncated Client Control PDU during the RDP connection sequence. A remote attacker can send a specially crafted truncated Client Control PDU to cause a denial of service.

Because xrdp forks a new process for each connection by default, a crash is unlikely to bring down the entire service.


7) Infinite loop (CVE-ID: CVE-2026-54538)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an infinite loop in RDP packet processing when handling a specially crafted RDP packet with an invalid totalLength field. A remote attacker can send a specially crafted packet to cause a denial of service.

By causing the internal pointer not to advance for specific protocol data unit types, the issue can lead to sustained CPU consumption and service unavailability. Multiple malicious connections may contribute to system-wide resource exhaustion.


8) Heap-based buffer overflow (CVE-ID: CVE-2026-44178)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code or cause a denial of service.

The vulnerability exists due to heap-based buffer overflow in the virtual channel forwarding mechanism when forwarding data from a remote client to the internal channel server. A remote user can send a specially crafted virtual channel message that exceeds the buffer capacity to execute arbitrary code or cause a denial of service.


9) Integer overflow (CVE-ID: CVE-2026-41521)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.

The vulnerability exists due to integer overflow in screen update message processing in vnc-any mode when processing crafted image dimensions from a VNC server. A remote attacker can send crafted screen update messages to disclose sensitive information or cause a denial of service.

Exploitation requires the vnc-any connection mode or another configuration that allows connections to arbitrary VNC hosts.


10) Heap-based buffer overflow (CVE-ID: CVE-2026-41252)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in RFB protocol color map message handling in xrdp vnc-any mode when processing crafted color map messages from a VNC server. A remote attacker can send specially crafted messages with out-of-range color indices to execute arbitrary code.

The issue can also result in a denial of service and can be exploited prior to authentication.


Remediation

Install update from vendor's website.