Hi,

The following vulnerabilities were published for xrdp.

CVE-2026-32105[0]:
| xrdp is an open source RDP server. In versions through 0.10.5, xrdp
| does not implement verification for the Message Authentication Code
| (MAC) signature of encrypted RDP packets when using the "Classic RDP
| Security" layer. While the sender correctly generates signatures,
| the receiving logic lacks the necessary implementation to validate
| the 8-byte integrity signature, causing it to be silently ignored.
| An unauthenticated attacker with man-in-the-middle (MITM)
| capabilities can exploit this missing check to modify encrypted
| traffic in transit without detection. It does not affect connections
| where the TLS security layer is enforced. This issue has been fixed
| in version 0.10.6. If users are unable to immediately upgrade, they
| should configure xrdp.ini to enforce TLS security
| (security_layer=tls) to ensure end-to-end integrity.


CVE-2026-32107[1]:
| xrdp is an open source RDP server. In versions through 0.10.5, the
| session execution component did not properly handle an error during
| the privilege drop process. This improper privilege management could
| allow an authenticated local attacker to escalate privileges to root
| and execute arbitrary code on the system. An additional exploit
| would be needed to facilitate this. This issue has been fixed in
| version 0.10.6.


CVE-2026-32623[2]:
| xrdp is an open source RDP server. Versions through 0.10.5 contain a
| heap-based buffer overflow vulnerability in the NeutrinoRDP module.
| When proxying RDP sessions from xrdp to another server, the module
| fails to properly validate the size of reassembled fragmented
| virtual channel data against its allocated memory buffer. A
| malicious downstream RDP server (or an attacker capable of
| performing a Man-in-the-Middle attack) could exploit this flaw to
| cause memory corruption, potentially leading to a Denial of Service
| (DoS) or Remote Code Execution (RCE). The NeutrinoRDP module is not
| built by default. This vulnerability only affects environments where
| the module has been explicitly compiled and enabled. Users can
| verify if the module is built by checking for --enable-neutrinordp
| in the output of the xrdp -v command. This issue has been fixed in
| version 0.10.6.


CVE-2026-32624[3]:
| xrdp is an open source RDP server. Versions through 0.10.5 contain a
| heap-based buffer overflow vulnerability in its logon processing. In
| environments where domain_user_separator is configured in xrdp.ini,
| an unauthenticated remote attacker can send a crafted, excessively
| long username and domain name to overflow the internal buffer. This
| can corrupt adjacent memory regions, potentially leading to a Denial
| of Service (DoS) or unexpected behavior. The domain_name_separator
| directive is commented out by default, systems are not affected by
| this vulnerability unless it is intentionally configured. This issue
| has been fixed in version 0.10.6.


CVE-2026-33145[4]:
| xrdp is an open source RDP server. Versions through 0.10.5 allow an
| authenticated remote user to execute arbitrary commands on the
| server due to unsafe handling of the AlternateShell parameter in
| xrdp-sesman. When the AllowAlternateShell setting is enabled (which
| is the default when not explicitly configured), xrdp accepts a
| client-supplied AlternateShell value and executes it via /bin/sh -c
| during session initialization. This results in shell-interpreted
| execution of unsanitized, user-controlled input. This behavior
| effectively provides a scriptable remote command execution primitive
| over RDP within the security context of the authenticated user,
| occurring prior to normal window manager startup. This can bypass
| expected session initialization flows and operational assumptions
| that restrict execution to interactive desktop environments. This
| issue has been fixed in version 0.10.6.


CVE-2026-33516[5]:
| xrdp is an open source RDP server. Versions through 0.10.5 contain
| an out-of-bounds read vulnerability during the RDP capability
| exchange phase. The issue occurs when memory is accessed before
| validating the remaining buffer length. A remote, unauthenticated
| attacker can trigger this vulnerability by sending a specially
| crafted Confirm Active PDU. Successful exploitation could lead to a
| denial of service (process crash) or potential disclosure of
| sensitive information from the process memory. This issue has been
| fixed in version 0.10.6.


CVE-2026-33689[6]:
| xrdp is an open source RDP server. Versions through 0.10.5 have an
| out-of-bounds read vulnerability in the pre-authentication RDP
| message parsing logic. A remote, unauthenticated attacker can
| trigger this flaw by sending a specially crafted sequence of packets
| during the initial connection phase. This vulnerability results from
| insufficient validation of input buffer lengths before processing
| dynamic channel communication. Successful exploitation can lead to a
| denial-of-service (DoS) condition via a process crash or potential
| disclosure of sensitive information from the service's memory space.
| This issue has been fixed in version 0.10.6.


CVE-2026-35512[7]:
| xrdp is an open source RDP server. Versions through 0.10.5 have a
| heap-based buffer overflow in the EGFX (graphics dynamic virtual
| channel) implementation due to insufficient validation of client-
| controlled size parameters, allowing an out-of-bounds write via
| crafted PDUs. Pre-authentication exploitation can crash the process,
| while post-authentication exploitation may achieve remote code
| execution. This issue has been fixed in version 0.10.6. If users are
| unable to immediately update, they should run xrdp as a non-
| privileged user (default since 0.10.2) to limit the impact of
| successful exploitation.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-32105
https://www.cve.org/CVERecord?id=CVE-2026-32105
[1] https://security-tracker.debian.org/tracker/CVE-2026-32107
https://www.cve.org/CVERecord?id=CVE-2026-32107
[2] https://security-tracker.debian.org/tracker/CVE-2026-32623
https://www.cve.org/CVERecord?id=CVE-2026-32623
[3] https://security-tracker.debian.org/tracker/CVE-2026-32624
https://www.cve.org/CVERecord?id=CVE-2026-32624
[4] https://security-tracker.debian.org/tracker/CVE-2026-33145
https://www.cve.org/CVERecord?id=CVE-2026-33145
[5] https://security-tracker.debian.org/tracker/CVE-2026-33516
https://www.cve.org/CVERecord?id=CVE-2026-33516
[6] https://security-tracker.debian.org/tracker/CVE-2026-33689
https://www.cve.org/CVERecord?id=CVE-2026-33689
[7] https://security-tracker.debian.org/tracker/CVE-2026-35512
https://www.cve.org/CVERecord?id=CVE-2026-35512

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1134339@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alex Myczko <tar@debian.org> (supplier of updated xrdp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 19 Apr 2026 20:06:18 +0000
Source: xrdp
Architecture: source
Version: 0.10.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Alex Myczko <tar@debian.org>
Closes: 1134339
Changes:
 xrdp (0.10.6-1) unstable; urgency=medium
 .
   * New upstream version. (Closes: #1134339)
     (CVE-2026-32105 CVE-2026-32107 CVE-2026-32623 CVE-2026-32624
      CVE-2026-33145 CVE-2026-33516 CVE-2026-33689 CVE-2026-35512)
Checksums-Sha1:
 dc536626a91896df188718a43555876962c51762 2263 xrdp_0.10.6-1.dsc
 4c2189f0be12399cc794102c1b6633fc3b438eb5 2486087 xrdp_0.10.6.orig.tar.gz
 4168fa9d5355b84dd24e22134d1a3cce5c6328a1 39140 xrdp_0.10.6-1.debian.tar.xz
 81c1a6984f2dc2809fdde5e440f47d5159cfb0ef 7197 xrdp_0.10.6-1_source.buildinfo
Checksums-Sha256:
 ce3324b69b9a7c5100a5f265a5c00b4ef90d689c50087d479b8cfe9d40a64e2e 2263 xrdp_0.10.6-1.dsc
 dfc21d5d603b642cf583987b36706b685bf05fd3aaaaacefb8f57c5f4a448677 2486087 xrdp_0.10.6.orig.tar.gz
 8ac8864a3aabf3e7e255919aa15544863410375f931bfd4c473154c71f028003 39140 xrdp_0.10.6-1.debian.tar.xz
 b204fcf03b7f04b6a8a5c4b957151097514213c3b489bddea0c6bd67780e4f10 7197 xrdp_0.10.6-1_source.buildinfo
Files:
 a8004e713411bf42c24e4456d360bd59 2263 net optional xrdp_0.10.6-1.dsc
 c2d12e8d609fb71a9e9a83f6f7e2b68c 2486087 net optional xrdp_0.10.6.orig.tar.gz
 560080077d3229cbe6d517a3b4d5e446 39140 net optional xrdp_0.10.6-1.debian.tar.xz
 a3a2cb91f6283d83c9ad9336b55bcf8d 7197 net optional xrdp_0.10.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmnlNqYPHHRhckBkZWJp
YW4ub3JnAAoJEBFoUrzfdRXAmqgQAJ2ypFPn8XNVIoSD6cY2uG3YPE29mCXL7pzP
X4yj3oS3R2eOgYnldId5p8RQdaj8uL268+ld3DmIkQBPZuu7ymFEq+I05PEpj4Me
lGlV7154GStx3m7Z5mBU3zwJh4Y5IqHI88ue6W2Gg+oo5vx+KCz0+KAPF5AgNgtZ
iBDw0AH0p3thqja5iuylmOJ/1KbaN3hLF52e5PSyJ8lMfGlkpTPUT6mNMZ8/sbBi
5efdMPdA1bwOFZjm9M7hzaQ9+/HbMpid9DfVGXbO5Gz9d41n1UjOv6ZXWVU1yGIS
WEjLefi/EzNUbYkCB363ZJCw3sHzuB27hIWtycc9irdWd/+QezhudW14FVs/RDER
v8aHDQF4Pr+u/laG5etz/ou7yhgUWcB3+JXvojSTdZsxKTyrARMsyb1cKcWj4CVR
c9Rpn2iE1ByvZRnU5QAnWOUAbI7BP9ZLM+N8kwu2FPuLdSBmHivlVThjHqfXlhsc
p1n4Ciggs+mgCCT6IjhlL7fq01IEqi0WV6Ee5f6SWklJse0ZuuPsMPF8Bik4XXcJ
Q5TMYlGLj24cup4A+XKmVgMpyiS7M9W1/GVRhvaDC3xf3ZEmUg2C9w7MAYnlIryC
MMv12LOA2bJpdlPciM7CasB0B40QbZ62gEC+RR6ZBtSBAM1OgRYCt1tDgGnJGPAM
ctQOmejd
=Yvlj
-----END PGP SIGNATURE-----

Hi,

are there any plans to backport the fixes to Trixie, or even Bookworm?

Best regards,

	Dirk

Hi,

Yes, indeed it is planned to release a DSA with the security fixes for
trixie-security.

Regards,
Salvatore