Home · Briefs · CTI Daily Brief — 2026-05-09
CVE-2025-68670 — xrdp pre-authentication stack overflow, arbitrary code execution [SINGLE-SOURCE]
From CTI Daily Brief — 2026-05-09 · published 2026-05-09
CVE-2025-68670 is a pre-authentication stack buffer overflow in the xrdp_wm_parse_domain_information function of xrdp (open-source RDP server for Linux), disclosed by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov on 2026-05-08. Domain names beginning with an underscore and containing __ delimiters are processed via a UTF-16-to-UTF-8 conversion path and written from a 512-byte input buffer into a 256-byte stack buffer without bounds checking; the conversion step amplifies the overflow size. Stack canaries are present but bypassable via canary leakage. The vulnerability was reported 2025-12-05, CVE assigned 2025-12-24, mainline patch merged 2026-01-27; public disclosure followed on 2026-05-08. Affects xrdp < 0.10.5; backports available for 0.9.27 and 0.10.4.1 (Kaspersky Securelist — CVE-2025-68670, 2026-05-08). xrdp is widely deployed in Linux remote-access and thin-client environments, including public-sector Linux desktops.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-42208 | LiteLLM Proxy | 9.3 | n/a | Yes (due 2026-05-11) | Yes — ITW ~26 h post-advisory | v1.83.7+ | Bishop Fox |
| CVE-2026-43284 | Linux kernel (xfrm-ESP) | n/a | n/a | No | Yes — limited campaigns (Microsoft) | Mainline patch 2026-05-08; distro updates in progress | Wiz Research |
| CVE-2026-43500 | Linux kernel (RxRPC) | n/a | n/a | No | Yes — limited campaigns (Microsoft) | Kernel patch PENDING; distro patches PENDING | Wiz Research |
| CVE-2026-44128 | SEPPmail Secure Email Gateway | 9.3 | n/a | No | None confirmed | patch 15.0.4.1 | NCSC-CH 12551 |
| CVE-2026-44125 | SEPPmail (GINAv2) | 9.3 | n/a | No | None confirmed | patch 15.0.4 | NCSC-CH 12551 |
| CVE-2026-44126 | SEPPmail | 9.2 | n/a | No | None confirmed | patch 15.0.4 | NCSC-CH 12551 |
| CVE-2026-40982 | Spring Cloud Config Server | 9.8 | n/a | No | None confirmed | 4.3.3 / 5.0.3 (OSS) | Spring.io |
| CVE-2025-68670 | xrdp | n/a | n/a | No | None confirmed | xrdp 0.10.5 / 0.10.4.1 / 0.9.27 | Kaspersky Securelist |