Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Published: 2026-01-19
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A heap-buffer-overflow occurs in the FreeRDP client’s gdi_SurfaceToSurface path when the destination rectangle clamping does not match the actual copy size. A malicious RDP server can send crafted data that triggers an overflow on the client side, leading to a crash that provides denial‑of‑service. Depending on the memory allocator and surrounding heap layout, the overflow may also result in heap corruption and the opportunity to execute arbitrary code on the client. The weakness is classified as CWE‑122.

Affected Systems

All FreeRDP clients prior to version 3.21.0 are affected. The issue manifests in the free implementation of the Remote Desktop Protocol provided by the vendor FreeRDP.

Risk and Exploitability

The CVSS score of 7.7 rates the vulnerability as high severity. The EPSS score is below 1 %, indicating that, at the time of assessment, exploitation is thought to be rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a connection to a malicious RDP server and relies on the client performing an unsafe memory copy. If an attacker can control heap layout, the risk of remote code execution rises, whereas in typical deployments the primary risk is denial of service.

Generated by OpenCVE AI on April 18, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply FreeRDP 3.21.0 or later to fix the heap-buffer-overflow in gdi_SurfaceToSurface.
  • If an upgrade cannot occur immediately, restrict incoming RDP connections to trusted hosts and monitor the client for abnormal crashes or memory usage patterns.
  • Deploy an intermediate firewall or proxy that filters RDP traffic, allowing only known, authenticated servers and blocking attempts to send malformed paint operations that could trigger the overflow.

Generated by OpenCVE AI on April 18, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Tue, 20 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

threat_severity

Important

Mon, 19 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Title FreeRDP has heap-buffer-overflow in gdi_SurfaceToSurface
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:37:53.418Z

Reserved: 2026-01-13T18:22:43.981Z

Link: CVE-2026-23532

cve-icon Vulnrichment

Updated: 2026-01-20T21:37:50.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T17:15:51.040

Modified: 2026-01-28T18:48:28.807

Link: CVE-2026-23532

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-19T17:03:51Z

Links: CVE-2026-23532 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses