Infinite loop in xrdp - CVE-2026-54538

 

Infinite loop in xrdp - CVE-2026-54538

Published: July 2, 2026


Vulnerability identifier: #VU136785
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-54538
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: neutrinolabs
Affected software:
xrdp

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an infinite loop in RDP packet processing when handling a specially crafted RDP packet with an invalid totalLength field. A remote attacker can send a specially crafted packet to cause a denial of service.

By causing the internal pointer not to advance for specific protocol data unit types, the issue can lead to sustained CPU consumption and service unavailability. Multiple malicious connections may contribute to system-wide resource exhaustion.


How to mitigate CVE-2026-54538

Install security update from vendor's website.

Sources