Skip to main content

FreeRDP CVE-2026-55827

| EUVDEUVD-2026-43004 HIGH
Incorrect Calculation of Buffer Size (CWE-131)
N/A vendor:alpine
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-delivered data parsed by the client with low complexity and no client privileges, but a user must connect to the malicious server (UI:R); memory corruption yields high C/I/A with no scope change.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jul 13, 2026 - 23:01 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 13, 2026 - 23:00 vuln.today
v4 (cvss_changed)
CVSS changed
Jul 13, 2026 - 22:52 NVD
7.5 (HIGH) 8.8 (HIGH)
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Updated
Jul 10, 2026 - 20:29 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 10, 2026 - 20:29 vuln.today
Analysis Updated
Jul 10, 2026 - 20:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 20:22 NVD
7.5 (HIGH)
Analysis Generated
Jun 29, 2026 - 13:31 vuln.today

DescriptionNVD

Alpine Linux: freerdp fixed in 3.27.1-r0

AnalysisAI

Client-side memory corruption in FreeRDP (all versions before 3.27.1) lets a malicious or compromised RDP server compromise a connecting client through improperly bounds-checked bitmap cache orders. The cacheId field of Cache Bitmap V2/V3 orders was masked to only two bits (0x0003) instead of three (0x0007) and used to index cell-cache arrays without validating it against the negotiated number of cells, enabling out-of-bounds access controlled by the server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure user to connect to malicious RDP server
Delivery
Establish RDP session and negotiate bitmap caching
Exploit
Server sends crafted Cache Bitmap V2/V3 order
Execution
cacheId mask/bounds flaw indexes cache out of bounds
Persist
Corrupt or disclose client memory
Impact
Achieve code execution or info disclosure on client

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively establish an RDP session to an attacker-controlled or compromised/MITM'd RDP server using a FreeRDP-based client older than 3.27.1 (UI:R in the CVSS vector) - the client is the target, not a listening service, so there is no unauthenticated server-side entry point. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and point to a serious-but-not-yet-mass-exploited client vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious RDP server (or compromises/MITMs a legitimate one) and lures a user to connect - via a phishing link, a rogue .rdp file, or a poisoned connection broker entry. During session setup the server sends a crafted Cache Bitmap V2/V3 order with a cacheId value in the previously-masked range, causing the pre-3.27.1 client to index bitmap cell caches out of bounds and corrupt or disclose client memory. …
Remediation Vendor-released patch: upgrade to FreeRDP 3.27.1 (on Alpine Linux install freerdp 3.27.1-r0 or later). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and document all systems running FreeRDP by inventory scan (rpm -qa, dpkg -l, or system management tools) and confirm which versions are below 3.27.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Share

CVE-2026-55827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy