A security update is available for the xrdp package, which contains an unauthenticated stack-based buffer overflow vulnerability. If exploited, this could allow remote attackers to execute arbitrary code on the target system. The issue has been fixed in version 0.9.21.1-1~deb11u3, and users are recommended to upgrade their xrdp packages for Debian GNU/Linux 11 (Bullseye) LTS. Further information about the update can be found on the Debian LTS security advisories page or the security tracker page for xrdp.

[DLA 4464-1] xrdp security update

[SECURITY] [DLA 4464-1] xrdp security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4464-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
February 03, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : xrdp
Version : 0.9.21.1-1~deb11u3
CVE ID : CVE-2025-68670
Debian Bug : 1126537

xrdp is an open source RDP server. It was found that xrdp contains an
unauthenticated stack-based buffer overflow vulnerability. The issue
stems from improper bounds checking when processing user domain
information during the connection sequence. If exploited, the
vulnerability could allow remote attackers to execute arbitrary code
on the target system.

For Debian 11 bullseye, this problem has been fixed in version
0.9.21.1-1~deb11u3.

We recommend that you upgrade your xrdp packages.

For the detailed security status of xrdp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xrdp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS