Skip to main content

FreeRDP EUVDEUVD-2026-12060

| CVE-2026-31806 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-03-13 GitHub_M
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Server-to-client attack: victim client must connect to a malicious server (UI:R), no attacker auth (PR:N), low complexity, with heap corruption enabling potential full RCE (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

13
Analysis Updated
Jun 30, 2026 - 04:01 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:58 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:57 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 03:55 vuln.today
Analysis Updated
Jun 30, 2026 - 03:55 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:24 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Updated
Apr 16, 2026 - 05:50 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.24.0
EUVD ID Assigned
Mar 13, 2026 - 18:00 euvd
EUVD-2026-12060
Analysis Generated
Mar 13, 2026 - 18:00 vuln.today
CVE Published
Mar 13, 2026 - 17:40 nvd
CRITICAL 9.8

DescriptionCVE.org

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.

AnalysisAI

Heap buffer overflow in FreeRDP's NSCodec surface-bits handler (versions prior to 3.24.0) lets a malicious or compromised RDP server corrupt heap memory on connecting clients. The gdi_surface_bits() path passes server-supplied bmp.width and bmp.height into nsc_process_message() without validating them against the actual desktop dimensions, and because the attacker also controls the decoded pixel data, the out-of-bounds write can overwrite adjacent heap allocations with attacker-chosen bytes - a potential path to remote code execution. EPSS is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.

Technical ContextAI

FreeRDP is the leading open-source implementation of Microsoft's Remote Desktop Protocol and underpins many third-party RDP clients (e.g. Remmina) and is packaged across major Linux distributions, as the Red Hat and SUSE errata indicate. The flaw is a CWE-122 heap-based buffer overflow in the NSC (NSCodec) decoder, libfreerdp/codec/nsc.c. SURFACE_BITS_COMMAND messages carry bitmap update regions; when the codec is NSCodec, the server-provided width/height are used to drive freerdp_image_copy_no_overlap() into the destination surface buffer. The buffer is sized for the negotiated desktop dimensions (nWidth/nHeight), but the code copied 'width'/'height' rows and columns directly, so values exceeding the surface caused writes past the allocation. The official fix (commit 83d9aedea2) clamps the copy region: cwidth = nWidth - nXDst and cheight = nHeight - nYDst when the destination offset plus dimension would exceed the surface bounds.

RemediationAI

Vendor-released patch: FreeRDP 3.24.0 - upgrade clients and any embedded libraries to 3.24.0 or later (fix commit 83d9aedea278a74af3e490ff5eeb889c016dbb2b). On Red Hat and SUSE systems, apply the corresponding distribution updates (e.g. RHSA-2026:6340/6727/6743/6799/6918/6958/10076 and SUSE-SU-2026:1129/1160/1164/1165/1398) and restart affected applications. Where immediate patching is not possible, the practical compensating control is to restrict outbound RDP: only connect FreeRDP clients to trusted, known RDP servers and block or egress-filter connections to untrusted RDP endpoints (default 3389), since the attack originates from the server side - the trade-off is reduced flexibility for users who legitimately connect to many hosts. Avoid connecting to untrusted or unknown RDP servers and prefer servers that do not negotiate NSCodec where configurable, recognizing that codec negotiation is server-driven and cannot be fully relied upon as a control. Full details are in the advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrqm-46rj-cmx2.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

EUVD-2026-12060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy