SB2026041802 - Fedora EPEL 9 update for xrdp

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026041802

SB2026041802 - Fedora EPEL 9 update for xrdp

Published: April 18, 2026

Security Bulletin ID SB2026041802
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 25% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Improper validation of integrity check value (CVE-ID: CVE-2026-32105)

The vulnerability allows a remote attacker to modify encrypted RDP traffic in transit without detection.

The vulnerability exists due to improper validation of integrity check value in the Classic RDP Security layer packet handling when processing encrypted RDP packets. A remote attacker can perform a man-in-the-middle attack to modify encrypted RDP traffic in transit without detection.

It does not affect connections where the TLS security layer is enforced.


2) Improper Check for Dropped Privileges (CVE-ID: CVE-2026-32107)

The vulnerability allows a local user to escalate privileges to root and execute arbitrary code.

The vulnerability exists due to improper check for dropped privileges in the session execution component when handling an error during the privilege drop process. A local user can trigger the flawed privilege drop handling to escalate privileges to root and execute arbitrary code.

Exploitation requires an additional exploit to facilitate the attack.


3) Heap-based buffer overflow (CVE-ID: CVE-2026-32623)

The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service.

The vulnerability exists due to heap-based buffer overflow in the NeutrinoRDP channel reassembly logic when processing reassembled fragmented virtual channel data while proxying RDP sessions to another server. A remote attacker can send specially crafted RDP channel data from a downstream server position to execute arbitrary code or cause a denial of service.

The issue only affects environments where the NeutrinoRDP module has been explicitly compiled and enabled, and exploitation requires a malicious downstream RDP server or a man-in-the-middle position.


4) Heap-based buffer overflow (CVE-ID: CVE-2026-32624)

The vulnerability allows a remote attacker to cause a denial of service or modify memory.

The vulnerability exists due to heap-based buffer overflow in logon processing when handling a crafted excessively long username and domain name. A remote attacker can send a crafted excessively long username and domain name to cause a denial of service or modify memory.

Only systems where the domain_user_separator setting is configured in xrdp.ini are vulnerable.


5) Command injection (CVE-ID: CVE-2026-33145)

The vulnerability allows a remote user to execute arbitrary commands on the server.

The vulnerability exists due to command injection in xrdp-sesman when processing a client-supplied AlternateShell value during session initialization. A remote user can supply a crafted AlternateShell value to execute arbitrary commands on the server.

The issue occurs when the AllowAlternateShell setting is enabled, which is the default if not explicitly configured, and command execution happens prior to normal window manager startup.


6) Out-of-bounds read (CVE-ID: CVE-2026-33516)

The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.

The vulnerability exists due to out-of-bounds read in the RDP capability exchange handling when processing a specially crafted Confirm Active PDU. A remote attacker can send a specially crafted Confirm Active PDU to disclose sensitive information or cause a denial of service.

The issue can be triggered during the pre-authentication phase.


7) Out-of-bounds read (CVE-ID: CVE-2026-33689)

The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.

The vulnerability exists due to out-of-bounds read in the dynamic channel parser when processing a specially crafted sequence of packets during the initial connection phase. A remote attacker can send a specially crafted sequence of packets to disclose sensitive information or cause a denial of service.

The issue is reachable before authentication during RDP message parsing.


8) Heap-based buffer overflow (CVE-ID: CVE-2026-35512)

The vulnerability allows a remote user to execute arbitrary code or cause a denial of service.

The vulnerability exists due to heap-based buffer overflow in the EGFX channel dynvc processing when processing client-controlled size parameters in specially crafted PDUs. A remote user can send specially crafted PDUs to execute arbitrary code or cause a denial of service.

Pre-authentication reachability is possible, but arbitrary code execution typically requires exploitation after successful user authentication.


Remediation

Install update from vendor's website.

References