CVE-2026-35512
Published: 17 April 2026
Summary
CVE-2026-35512 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Neutrinolabs Xrdp. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 31.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of client-controlled size parameters in crafted PDUs to directly prevent the heap-based buffer overflow in xrdp's EGFX implementation.
Requires timely flaw remediation through patching to xrdp version 0.10.6, eliminating the vulnerability.
Limits impact of post-authentication exploitation by enforcing least privilege, such as running xrdp as a non-privileged user to prevent full system compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in xrdp RDP server enables pre-auth DoS and post-auth RCE by low-privilege remote attacker, directly mapping to Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).
NVD Description
xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation…
more
can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediately update, they should run xrdp as a non-privileged user (default since 0.10.2) to limit the impact of successful exploitation.
Deeper analysisAI
CVE-2026-35512 is a heap-based buffer overflow vulnerability (CWE-122) in the EGFX graphics dynamic virtual channel implementation of xrdp, an open source RDP server. Versions through 0.10.5 are affected due to insufficient validation of client-controlled size parameters in crafted PDUs, which can lead to an out-of-bounds write. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Pre-authentication exploitation results in a denial-of-service condition by crashing the xrdp process, while post-authentication exploitation may enable remote code execution.
The vulnerability has been addressed in xrdp version 0.10.6, as detailed in the project's release notes and security advisory. Users unable to update immediately should ensure xrdp runs as a non-privileged user, which has been the default configuration since version 0.10.2, to mitigate the impact of exploitation. Relevant resources include the GitHub release page at https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 and the security advisory at https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-jg6p-7fg8-9hh6.
Details
- CWE(s)