Cyber Posture

CVE-2026-35512

High

Published: 17 April 2026

Published
17 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 65.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation…

more

can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediately update, they should run xrdp as a non-privileged user (default since 0.10.2) to limit the impact of successful exploitation.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Enforces validation of client-controlled size parameters in crafted PDUs to directly prevent the heap-based buffer overflow in xrdp's EGFX implementation.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching to xrdp version 0.10.6, eliminating the vulnerability.

AC-6 Least Privilege partial match
prevent

Limits impact of post-authentication exploitation by enforcing least privilege, such as running xrdp as a non-privileged user to prevent full system compromise.

Security SummaryAI

CVE-2026-35512 is a heap-based buffer overflow vulnerability (CWE-122) in the EGFX graphics dynamic virtual channel implementation of xrdp, an open source RDP server. Versions through 0.10.5 are affected due to insufficient validation of client-controlled size parameters in crafted PDUs, which can lead to an out-of-bounds write. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Pre-authentication exploitation results in a denial-of-service condition by crashing the xrdp process, while post-authentication exploitation may enable remote code execution.

The vulnerability has been addressed in xrdp version 0.10.6, as detailed in the project's release notes and security advisory. Users unable to update immediately should ensure xrdp runs as a non-privileged user, which has been the default configuration since version 0.10.2, to mitigate the impact of exploitation. Relevant resources include the GitHub release page at https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 and the security advisory at https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-jg6p-7fg8-9hh6.

Details

CWE(s)
CWE-122

Affected Products

neutrinolabs
xrdp
≤ 0.10.6

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Heap-based buffer overflow in xrdp RDP server enables pre-auth DoS and post-auth RCE by low-privilege remote attacker, directly mapping to Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References