Stay Secure with the Latest Linux Advisories

security advisoryfedoracritical

Fedora 42 xrdp Critical Remote Code Execution CVE-2025-68670

Release notes for xrdp v0.10.5 (2026/01/27) Security fixes CVE-2025-68670: Improper bounds checking of domain string length leads to Stack- based Buffer Overflow New features. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-b409dad73e 2026-02-08 00:51:49.071197+00:00 -------------------------------------------------------------------------------- Name : xrdp Product : Fedora 42 Version : 0.10.5 Release : 1.fc42 URL : http://www.xrdp.org/ Summary : Open source remote desktop protocol (RDP) server Description : xrdp provides a fully functional RDP server compatible with a wide range of RDP clients, including FreeRDP and Microsoft RDP client. -------------------------------------------------------------------------------- Update Information: Release notes for xrdp v0.10.5 (2026/01/27) Security fixes CVE-2025-68670: Improper bounds checking of domain string length leads to Stack- based Buffer Overflow New features It is now possible to start the xrdp daemon entirely unprivileged from the service manager (#3599 #3603). If you do this certain restrictions will apply. See https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non- root for details. TLS pre-master secrets can now be recorded for packet captures (#3617) Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers (#3639) Alternate shell names can now be passed to startwm.sh in an environment variable for more system management control (#3624 #3651) Updated Xorg paths in sesman.ini to include more recent distros (#3663) Add Slovenian keyboard (#3668 #3670) xrdpapi: Add a way to monitor connect/disconnect events (#3693) Bug fixes Allow an empty X11 UTF8_STRING to be pasted to the clipboard (#3580 #3582) Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server which did not support the ExtendedDesktopSize encoding (#3540 #3584) Fixa regression introduced in v0.10.x related to PAM groups handling (#3594) Inconsistencies with [MS-RDPBCGR] have been addressed (#3608) A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed (#3638) Prevent some possible crashes when the RFX encoder is resized (#3590 #3644) Fixes a regression introduced by GFX development which prevented the JPEG encoder from working correctly (#3649) Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted unexpectedly (#3650) Do not overwrite a VNC port set by the user when not using sesman (#3674) Fix regression from 0.9.x when freerdp client uses /workarea (#3618 #3676) Fixes a crash where a resize is attempted with drdynvc disabled (#3672 #3680) getgrouplist() now compiles on MacOS (#3575) Various Coverity warnings have been addressed (#3656) Documentation improvements (#3665) Internal changes An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed (#3679) Release notes for xorgxrdp v0.10.5 (2026/01/28) Bug fixes Fix bug in Chrome pointer detection (#394 #396) Internal changes CI: Update FreeBSD xrdp dependency (#398) -------------------------------------------------------------------------------- ChangeLog: * Wed Jan 28 2026 Bojan Smojver - 1:0.10.5-1 - Update to 0.10.5 * Sat Jan 17 2026 Fedora Release Engineering - 1:0.10.4-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Tue Nov 4 2025 Tom Callaway - 1:0.10.4-4 - rebuild for new fuse3 * Fri Jul 25 2025 Fedora Release Engineering - 1:0.10.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1908387 - Windows with transparency show whatever is below https://bugzilla.redhat.com/show_bug.cgi?id=1908387 [ 2 ] Bug #2279775 - xrdp socketdir not cleaned up on package removal https://bugzilla.redhat.com/show_bug.cgi?id=2279775 [ 3 ] Bug #2322105 - AltGr on Spanish keyboards https://bugzilla.redhat.com/show_bug.cgi?id=2322105 [ 4 ] Bug #2323097 - Requesting clarification on the License of xrdp rpm. https://bugzilla.redhat.com/show_bug.cgi?id=2323097 [ 5 ] Bug #2433438 - CVE-2025-68670 xorgxrdp: xrdp: Remote code execution via unauthenticated stack-based buffer overflow [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2433438 [ 6 ] Bug #2433439 - CVE-2025-68670 xrdp: xrdp: Remote code execution via unauthenticated stack-based buffer overflow [epel-8] https://bugzilla.redhat.com/show_bug.cgi?id=2433439 [ 7 ] Bug #2433440 - CVE-2025-68670 xorgxrdp: xrdp: Remote code execution via unauthenticated stack-based buffer overflow [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2433440 [ 8 ] Bug #2433441 - CVE-2025-68670 xrdp: xrdp: Remote code execution via unauthenticated stack-based buffer overflow [epel-9] https://bugzilla.redhat.com/show_bug.cgi?id=2433441 [ 9 ] Bug #2433442 - CVE-2025-68670 xorgxrdp: xrdp: Remote code execution via unauthenticated stack-based buffer overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2433442 [ 10 ] Bug #2433840 - xorgxrdp-0.10.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2433840 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-b409dad73e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Security update for Fedora 42's xrdp addresses a critical stack overflow issue. Check details for action.. stack overflow, remote desktop, security patches, Fedora xrdp, application security. . Severity: Critical. LinuxSecurity.com Team

Feb 08, 2026 •Critical Fedora