CVE-2026-32623
Published: 17 April 2026
Summary
CVE-2026-32623 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Neutrinolabs Xrdp. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the heap-based buffer overflow by requiring timely installation of the vendor fix in xrdp version 0.10.6.
Requires validation of incoming fragmented virtual channel data sizes against allocated buffers to prevent the buffer overflow during RDP proxying.
Implements memory protections such as heap isolation and randomization to mitigate exploitation of the heap-based buffer overflow leading to corruption, DoS, or RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable heap-based buffer overflow in a public-facing RDP server (xrdp), enabling unauthenticated RCE or DoS via network attack, directly mapping to Exploit Public-Facing Application.
NVD Description
xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from xrdp to another server, the module fails to properly validate the size of reassembled fragmented…
more
virtual channel data against its allocated memory buffer. A malicious downstream RDP server (or an attacker capable of performing a Man-in-the-Middle attack) could exploit this flaw to cause memory corruption, potentially leading to a Denial of Service (DoS) or Remote Code Execution (RCE). The NeutrinoRDP module is not built by default. This vulnerability only affects environments where the module has been explicitly compiled and enabled. Users can verify if the module is built by checking for --enable-neutrinordp in the output of the xrdp -v command. This issue has been fixed in version 0.10.6.
Deeper analysisAI
CVE-2026-32623 is a heap-based buffer overflow vulnerability (CWE-122) affecting the NeutrinoRDP module in xrdp, an open source RDP server. Versions through 0.10.5 are vulnerable when the module proxies RDP sessions to another server, as it fails to properly validate the size of reassembled fragmented virtual channel data against its allocated memory buffer. The NeutrinoRDP module is not built by default and must be explicitly compiled and enabled for this issue to be present; users can verify this by checking for --enable-neutrinordp in the output of the xrdp -v command.
A malicious downstream RDP server or an attacker performing a Man-in-the-Middle (MitM) attack can exploit this flaw over the network with no privileges or user interaction required, though it involves high attack complexity (CVSS 8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation leads to memory corruption, potentially resulting in denial of service (DoS) or remote code execution (RCE) on the xrdp server.
The vulnerability has been addressed in xrdp version 0.10.6, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 0.10.6 or later and confirm whether the NeutrinoRDP module is enabled in their deployments. Relevant resources include the release page at https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 and the advisory at https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-phw3-qp59-x2v4.
Details
- CWE(s)