What is the CVSS score of CVE-2026-26955?

CVE-2026-26955 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Freerdp are affected by CVE-2026-26955?

A high-severity vulnerability in FreeRDP (CVSS 8.8) affects remote desktop connectivity and poses significant risk to organizations using this protocol for remote access.. A patch is available.

Is there a public PoC exploit available for CVE-2026-26955?

Yes, a public proof-of-concept exploit is available for CVE-2026-26955. Prioritise patching immediately. EPSS: 0.0%.

Freerdp CVE-2026-26955

HIGH

Out-of-bounds Write (CWE-787)

2026-02-25 security-advisories@github.com

Buffer Overflow Red Hat Freerdp Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 27, 2026 - 14:50 vuln.today

Public exploit code

Patch released

Feb 27, 2026 - 14:50 nvd

Patch available

CVE Published

Feb 25, 2026 - 21:16 nvd

HIGH 8.8

DescriptionNVD

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., xfreerdp) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The gdi_SurfaceCommand_ClearCodec() handler does not call is_within_surface() to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled cmd->left/cmd->top (and subcodec rectangle offsets) to reach image copy routines that write into surface->data without bounds enforcement. The OOB write corrupts an adjacent gdiGfxSurface struct's codecs* pointer with attacker-controlled pixel data, and corruption of codecs* is sufficient to reach an indirect function pointer call (NSC_CONTEXT.decode at nsc.c:500) on a subsequent codec command - full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.

AnalysisAI

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 8.8 HIGH]

RemediationAI

Within 24 hours: Inventory all systems running FreeRDP and assess exposure in your environment. Within 7 days: Deploy vendor patches to all affected FreeRDP installations, prioritizing internet-facing and critical systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory