Skip to main content

FreeRDP CVE-2026-23531

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-01-19 security-advisories@github.com
7.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Triggered only by a malicious server the victim connects to, so UI:R; AC:L for the reliable crash, with confirmed impact limited to availability (A:H) since RCE is unproven (C:N/I:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.6 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

11
Analysis Updated
Jun 30, 2026 - 06:08 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 06:08 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 06:07 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 06:07 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:23 NVD
CRITICAL HIGH
CVSS changed
Jun 30, 2026 - 03:23 NVD
9.8 (CRITICAL) 7.7 (HIGH)
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 28, 2026 - 18:51 vuln.today
Public exploit code
CVE Published
Jan 19, 2026 - 17:15 nvd
CRITICAL 9.8

DescriptionCVE.org

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when glyphData is present, clear_decompress calls freerdp_image_copy_no_overlap without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

AnalysisAI

Client-side heap buffer overflow in FreeRDP's ClearCodec decoder (versions prior to 3.21.0) lets a malicious or compromised RDP server corrupt a connecting client's memory. When glyphData is present, clear_decompress invokes freerdp_image_copy_no_overlap without validating the destination rectangle, producing an out-of-bounds read/write via crafted RDPGFX surface updates. Publicly available exploit code exists (per the GitHub Security Advisory), but it is not listed in CISA KEV and EPSS is low (0.13%, 33th percentile); confirmed impact is denial of service with a residual, allocator-dependent code-execution risk.

Technical ContextAI

FreeRDP is the leading open-source implementation of Microsoft's Remote Desktop Protocol, embedded in clients such as Remmina, Weston, GNOME Connections, and numerous virtualization/VDI gateways, which is why Red Hat shipped many RHSA errata for it. The flaw lives in the ClearCodec image codec (libfreerdp/codec/clear.c, around lines 1139-1145), which decompresses RemoteFX-style 'CLEAR' surface bitmaps delivered over the RDPGFX (Graphics Pipeline) virtual channel. The root cause is CWE-122 (heap-based buffer overflow): the glyph-data code path copies pixels into a destination surface via freerdp_image_copy_no_overlap without first bounds-checking the destination rectangle against the allocated surface dimensions, so a server-controlled width/height/offset drives reads and writes past the heap allocation.

RemediationAI

Vendor-released patch: upgrade FreeRDP to 3.21.0 or later (https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0), and on Red Hat systems apply the corresponding RHSA errata (e.g. RHSA-2026:2081/2222/3039 at access.redhat.com) and restart any long-running clients, gateways, or sessions that link the library. Where immediate patching is impossible, the practical compensating control is to restrict which servers clients may connect to - allowlist trusted, known RDP hosts and block outbound RDP (and RDPGFX redirection) to untrusted endpoints at the network egress, since the bug is only triggered by a malicious server's surface updates; the trade-off is reduced flexibility for ad-hoc connections. As a defense-in-depth measure, run RDP clients with reduced privileges and standard heap hardening (ASLR/heap protections) to lower the chance the overflow escalates from a crash to code execution; this mitigates impact but does not remove the vulnerability. Full reference: GHSA-xj5h-9cr5-23c5.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Affected
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.43 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.67 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.57 Affected
Container suse/sl-micro/6.1/base-os-container:2.2.1-5.64 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
SUSE Liberty Linux 8 Fixed

Share

CVE-2026-23531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy