Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-delivered data parsed by the client with low complexity and no client privileges, but a user must connect to the malicious server (UI:R); memory corruption yields high C/I/A with no scope change.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionNVD
Alpine Linux: freerdp fixed in 3.27.1-r0
AnalysisAI
Client-side memory corruption in FreeRDP (all versions before 3.27.1) lets a malicious or compromised RDP server compromise a connecting client through improperly bounds-checked bitmap cache orders. The cacheId field of Cache Bitmap V2/V3 orders was masked to only two bits (0x0003) instead of three (0x0007) and used to index cell-cache arrays without validating it against the negotiated number of cells, enabling out-of-bounds access controlled by the server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively establish an RDP session to an attacker-controlled or compromised/MITM'd RDP server using a FreeRDP-based client older than 3.27.1 (UI:R in the CVSS vector) - the client is the target, not a listening service, so there is no unauthenticated server-side entry point. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and point to a serious-but-not-yet-mass-exploited client vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious RDP server (or compromises/MITMs a legitimate one) and lures a user to connect - via a phishing link, a rogue .rdp file, or a poisoned connection broker entry. During session setup the server sends a crafted Cache Bitmap V2/V3 order with a cacheId value in the previously-masked range, causing the pre-3.27.1 client to index bitmap cell caches out of bounds and corrupt or disclose client memory. … |
| Remediation | Vendor-released patch: upgrade to FreeRDP 3.27.1 (on Alpine Linux install freerdp 3.27.1-r0 or later). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and document all systems running FreeRDP by inventory scan (rpm -qa, dpkg -l, or system management tools) and confirm which versions are below 3.27.1. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti
Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor
Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem
FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi
FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai
FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and
FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical
Same weakness CWE-131 – Incorrect Calculation of Buffer Size
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43004