Cyber Resilience

CVE-2026-35512

High

Published: 17 April 2026

Published
17 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 43.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35512 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Neutrinolabs Xrdp. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35512 is a heap-based buffer overflow vulnerability (CWE-122) in the EGFX graphics dynamic virtual channel implementation of xrdp, an open source RDP server. Versions through 0.10.5 are affected due to insufficient validation of client-controlled size parameters in crafted PDUs, which can lead to an out-of-bounds write. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Pre-authentication exploitation results in a denial-of-service condition by crashing the xrdp process, while post-authentication exploitation may enable remote code execution.

The vulnerability has been addressed in xrdp version 0.10.6, as detailed in the project's release notes and security advisory. Users unable to update immediately should ensure xrdp runs as a non-privileged user, which has been the default configuration since version 0.10.2, to mitigate the impact of exploitation. Relevant resources include the GitHub release page at https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 and the security advisory at https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-jg6p-7fg8-9hh6.

EU & UK References

Vulnerability details

xrdp is an open source RDP server. Versions through 0.10.5 have a heap-based buffer overflow in the EGFX (graphics dynamic virtual channel) implementation due to insufficient validation of client-controlled size parameters, allowing an out-of-bounds write via crafted PDUs. Pre-authentication exploitation…

more

can crash the process, while post-authentication exploitation may achieve remote code execution. This issue has been fixed in version 0.10.6. If users are unable to immediately update, they should run xrdp as a non-privileged user (default since 0.10.2) to limit the impact of successful exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Heap-based buffer overflow in xrdp RDP server enables pre-auth DoS and post-auth RCE by low-privilege remote attacker, directly mapping to Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32623Same product: Neutrinolabs Xrdp
CVE-2026-32107Same product: Neutrinolabs Xrdp
CVE-2026-33516Same product: Neutrinolabs Xrdp
CVE-2026-32105Same product: Neutrinolabs Xrdp
CVE-2026-33689Same product: Neutrinolabs Xrdp
CVE-2025-62456Shared CWE-122
CVE-2025-58077Shared CWE-122
CVE-2025-62404Shared CWE-122
CVE-2025-58455Shared CWE-122
CVE-2025-62405Shared CWE-122

Affected Assets

neutrinolabs
xrdp
≤ 0.10.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of client-controlled size parameters in crafted PDUs to directly prevent the heap-based buffer overflow in xrdp's EGFX implementation.

prevent

Requires timely flaw remediation through patching to xrdp version 0.10.6, eliminating the vulnerability.

prevent

Limits impact of post-authentication exploitation by enforcing least privilege, such as running xrdp as a non-privileged user to prevent full system compromise.

References