Cyber Posture

CVE-2026-32623

High

Published: 17 April 2026

Published
17 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 48.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from xrdp to another server, the module fails to properly validate the size of reassembled fragmented…

more

virtual channel data against its allocated memory buffer. A malicious downstream RDP server (or an attacker capable of performing a Man-in-the-Middle attack) could exploit this flaw to cause memory corruption, potentially leading to a Denial of Service (DoS) or Remote Code Execution (RCE). The NeutrinoRDP module is not built by default. This vulnerability only affects environments where the module has been explicitly compiled and enabled. Users can verify if the module is built by checking for --enable-neutrinordp in the output of the xrdp -v command. This issue has been fixed in version 0.10.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the heap-based buffer overflow by requiring timely installation of the vendor fix in xrdp version 0.10.6.

SI-10 Information Input Validation good match
prevent

Requires validation of incoming fragmented virtual channel data sizes against allocated buffers to prevent the buffer overflow during RDP proxying.

SI-16 Memory Protection good match
prevent

Implements memory protections such as heap isolation and randomization to mitigate exploitation of the heap-based buffer overflow leading to corruption, DoS, or RCE.

Security SummaryAI

CVE-2026-32623 is a heap-based buffer overflow vulnerability (CWE-122) affecting the NeutrinoRDP module in xrdp, an open source RDP server. Versions through 0.10.5 are vulnerable when the module proxies RDP sessions to another server, as it fails to properly validate the size of reassembled fragmented virtual channel data against its allocated memory buffer. The NeutrinoRDP module is not built by default and must be explicitly compiled and enabled for this issue to be present; users can verify this by checking for --enable-neutrinordp in the output of the xrdp -v command.

A malicious downstream RDP server or an attacker performing a Man-in-the-Middle (MitM) attack can exploit this flaw over the network with no privileges or user interaction required, though it involves high attack complexity (CVSS 8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation leads to memory corruption, potentially resulting in denial of service (DoS) or remote code execution (RCE) on the xrdp server.

The vulnerability has been addressed in xrdp version 0.10.6, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 0.10.6 or later and confirm whether the NeutrinoRDP module is enabled in their deployments. Relevant resources include the release page at https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 and the advisory at https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-phw3-qp59-x2v4.

Details

CWE(s)
CWE-122

Affected Products

neutrinolabs
xrdp
≤ 0.10.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a remotely exploitable heap-based buffer overflow in a public-facing RDP server (xrdp), enabling unauthenticated RCE or DoS via network attack, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References