Skip to main content

FreeRDP CVE-2026-44421

| EUVDEUVD-2026-33433 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-29 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:31 vuln.today

DescriptionCVE.org

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.

AnalysisAI

Heap buffer overflow write in FreeRDP client versions prior to 3.26.0 allows a malicious RDP server to corrupt client memory and potentially achieve code execution when the victim connects with RDPGFX enabled. The flaw resides in gdi_CacheToSurface, where validation uses a clamped destination rectangle while the actual copy uses unclamped cacheEntry width/height values, enabling a large out-of-bounds heap write. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

FreeRDP is the widely used open-source implementation of Microsoft's Remote Desktop Protocol, embedded in many Linux remote-desktop clients (Remmina, GNOME Connections, Weston, xrdp tooling) and downstream distributions. The root cause is a CWE-122 heap-based buffer overflow in the RDPGFX (Graphics Pipeline Extension, MS-RDPEGFX) surface caching path: gdi_CacheToSurface clamps the destination rectangle to UINT16_MAX for its bounds check but then performs the memcpy using the attacker-controlled cacheEntry->width and cacheEntry->height fields delivered via crafted RDPGFX PDUs. Because the validated rectangle and the copied region are derived from different values, the size check is effectively bypassed, producing a large out-of-bounds heap write into GDI surface buffers. CPE coverage in NVD is the wildcard cpe:2.3:a:freerdp:freerdp:*, indicating all upstream versions before 3.26.0 share the vulnerable code path.

RemediationAI

Upgrade to FreeRDP 3.26.0 or later, which contains the upstream fix correcting gdi_CacheToSurface to use the validated dimensions during the copy; see the vendor advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff for commit details. Where immediate upgrade is not possible, disable the Graphics Pipeline Extension on the client by removing the /gfx (and related /gfx-h264, /gfx-progressive) command-line flags or equivalent configuration in wrappers such as Remmina, which closes the vulnerable code path at the cost of falling back to legacy bitmap codecs with reduced visual quality and higher bandwidth use. Operationally, restrict outbound RDP (TCP/UDP 3389) from end-user workstations to a known allowlist of internal RDP gateways so users cannot be steered to attacker-controlled servers via phishing links or rdp:// handlers, accepting that this breaks ad-hoc connections to external hosts. Downstream Linux distributions should be monitored for backported package updates; verify the installed package version after patching rather than relying solely on distro changelog entries.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-44421 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy