8.8

CVE-2026-32107

EPSS 0.02%
Veröffentlicht 17.04.2026 19:25:20
Zuletzt bearbeitet 27.04.2026 14:19:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

xrdp: Fail-open privilege drop in sesexec — child processes may execute as root if setuid fails

xrdp is an open source RDP server. In versions through 0.10.5, the session execution component did not properly handle an error during the privilege drop process. This improper privilege management could allow an authenticated local attacker to escalate privileges to root and execute arbitrary code on the system. An additional exploit would be needed to facilitate this. This issue has been fixed in version 0.10.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Neutrinolabs ≫ Xrdp Version < 0.10.6

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.051

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-273 Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6

Patch

Release Notes

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-p5m6-7m43-pjv9

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-32107

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32107

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32107

EUVD