1. Ubuntu Security Notices
  2. USN-8476-1

USN-8476-1: xrdp vulnerabilities

Publication date

25 June 2026

Overview

Several security issues were fixed in xrdp.

Releases

Packages

  • xrdp - an open source RDP server

Details

It was discovered that xrdp incorrectly handled bounds checking when
processing user domain information during the connection sequence. An
unauthenticated remote attacker could use this issue to cause xrdp to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2025-68670)

It was discovered that xrdp did not correctly enforce the maximum number of
login attempts configured by the MaxLoginRetry parameter. A remote attacker
could use this issue to perform an unlimited number of login attempts.
(CVE-2024-39917)

It was discovered that xrdp did not perform bounds checking when accessing
font glyphs. Since some of this data is controllable by the user, a remote
attacker could use this issue to cause xrdp to read out of bounds. This
issue only affected Ubuntu 24.04 LTS. (

It was discovered that xrdp incorrectly handled bounds checking when
processing user domain information during the connection sequence. An
unauthenticated remote attacker could use this issue to cause xrdp to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2025-68670)

It was discovered that xrdp did not correctly enforce the maximum number of
login attempts configured by the MaxLoginRetry parameter. A remote attacker
could use this issue to perform an unlimited number of login attempts.
(CVE-2024-39917)

It was discovered that xrdp did not perform bounds checking when accessing
font glyphs. Since some of this data is controllable by the user, a remote
attacker could use this issue to cause xrdp to read out of bounds. This
issue only affected Ubuntu 24.04 LTS. (CVE-2023-42822)

It was discovered that xrdp did not properly handle session establishment
errors. A remote attacker could use this issue to bypass OS-level session
restrictions enforced by PAM, such as the maximum number of concurrent
sessions per user. This issue only affected Ubuntu 24.04 LTS.
(CVE-2023-40184)

Update instructions

After a standard system update you need to restart xrdp to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
25.10 questing xrdp –  0.10.1-3.1+deb13u1build0.25.10.1
24.04 LTS noble xrdp –  0.9.24-4ubuntu0.1~esm1  
22.04 LTS jammy xrdp –  0.9.17-2ubuntu3+esm2  
20.04 LTS focal xrdp –  0.9.12-1ubuntu0.1+esm2  
18.04 LTS bionic xorgxrdp –  0.9.5-2ubuntu0.1~esm3  
xrdp –  0.9.5-2ubuntu0.1~esm3  
xrdp-pulseaudio-installer –  0.9.5-2ubuntu0.1~esm3  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›