CVE-2026-23732 - Vulnerability Details

- FreeRDP has heap-buffer-overflow in Glyph_Alloc

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.

Published: 2026-01-19

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the parsing of FastGlyph data on the FreeRDP client. The code uses the cbData length without confirming that the minimum size implied by the glyph dimensions is satisfied. An attacker controlling a remote RDP server can send a malformed glyph packet that overflows a client‑side heap buffer. The result is a client crash, which is a denial‑of‑service condition. The weakness is a classic heap buffer overflow (CWE‑122).

Affected Systems

FreeRDP version 3.20.x and earlier are vulnerable. The issue is present in the main FreeRDP library used by many open‑source remote‑desktop clients. Version 3.21.0 and later contain the patch. Any system running a FreeRDP client that connects to an attacker‑controlled RDP server and accepts FastGlyph packets is affected.

Risk and Exploitability

The entry carries a CVSS score of 5.5, indicating moderate severity. Because the EPSS score is below 1%, the likelihood of this vulnerability being exploited in the wild is low, and it is not listed in the CISA KEV catalog. The attack requires the client to accept a malicious glyph packet from a remote server, which usually means the user must initiate a remote desktop session. The overflow leads only to a crash, not arbitrary code execution, making it a local or network‑limited denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeRDP

affected

Version	Status	Constraints
`< 3.21.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Freerdp	Freerdp	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to FreeRDP 3.21.0 or newer, where the FastGlyph buffer overflow bug is fixed.
If an upgrade is not yet possible, disable the FastGlyph feature or restrict connections to trusted RDP servers to mitigate the risk of receiving malicious glyph payloads.
Monitor client logs for repeated “FreeRDP crash” or memory errors, and ensure that crash recovery services restart the client to maintain service availability.

Generated by OpenCVE AI on April 18, 2026 at 05:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00133.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp
https://nvd.nist.gov/vuln/detail/CVE-2026-23732
https://www.cve.org/CVERecord?id=CVE-2026-23732

History

Wed, 28 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:freerdp:freerdp::::::::
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 20 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freerdp Freerdp freerdp
Vendors & Products		Freerdp Freerdp freerdp

Tue, 20 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-23732 https://www.cve.org/CVERecord?id=CVE-2026-23732
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Mon, 19 Jan 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
Title		FreeRDP has heap-buffer-overflow in Glyph_Alloc
Weaknesses		CWE-122
References		https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp
Metrics		cvssV4_0 `{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Freerdp Freerdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-19T17:12:57.772Z

Updated: 2026-01-20T15:34:21.309Z

Reserved: 2026-01-15T15:45:01.957Z

Link: CVE-2026-23732

Vulnrichment

Updated: 2026-01-20T15:34:12.728Z

NVD

Status : Analyzed

Published: 2026-01-19T18:16:05.867

Modified: 2026-01-28T18:38:37.410

Link: CVE-2026-23732

Redhat

Severity : Moderate

Publid Date: 2026-01-19T17:12:57Z

Links: CVE-2026-23732 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses

CWE-122

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object