CVE-2026-26955
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., xfreerdp) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The gdi_SurfaceCommand_ClearCodec() handler does not call is_within_surface() to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled cmd->left/cmd->top (and subcodec rectangle offsets) to reach image copy routines that write into surface->data without bounds enforcement. The OOB write corrupts an adjacent gdiGfxSurface struct's codecs* pointer with attacker-controlled pixel data, and corruption of codecs* is sufficient to reach an indirect function pointer call (NSC_CONTEXT.decode at nsc.c:500) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FreeRDP | FreeRDP | < 3.23.0 | affected |
Weaknesses
- CWE-787: CWE-787: Out-of-bounds Write
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
freerdp: FreeRDP: Arbitrary code execution via heap buffer overflow in GDI surface pipeline
Additional References
- https://access.redhat.com/security/cve/CVE-2026-26955
- https://bugzilla.redhat.com/show_bug.cgi?id=2443132
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26955.json
- https://access.redhat.com/errata/RHSA-2026:7292
- https://access.redhat.com/errata/RHSA-2026:5936
- https://access.redhat.com/errata/RHSA-2026:5939
- https://access.redhat.com/errata/RHSA-2026:19033
- https://access.redhat.com/errata/RHSA-2026:6005
- https://access.redhat.com/errata/RHSA-2026:6712
- https://access.redhat.com/errata/RHSA-2026:6616
- https://access.redhat.com/errata/RHSA-2026:6665
- https://access.redhat.com/errata/RHSA-2026:6764
- https://access.redhat.com/errata/RHSA-2026:6395
- https://access.redhat.com/errata/RHSA-2026:6396
- https://access.redhat.com/errata/RHSA-2026:6384
- https://access.redhat.com/errata/RHSA-2026:6385
- https://access.redhat.com/errata/RHSA-2026:6004
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj
- https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.