Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Buffer Overread
Action: Apply Patch
AI Analysis

Impact

A buffer overread exists in the function `freerdp_image_copy_from_icon_data()` in FreeRDP before version 3.23.0. When a client processes a crafted RDP Window Icon (TS_ICON_INFO) packet, the function reads beyond the intended bounds. The description does not describe a direct code execution vector, and thus it is inferred—based on the information provided—that the vulnerability is limited to information disclosure. The memory overread may expose sensitive data that is resident in the client’s address space, constituting an information‑disclosure vulnerability. The weakness is classified under CWE‑126 and CWE‑805.

Affected Systems

The unpatched vulnerability affects all releases of the FreeRDP project before version 3.23.0. It is present in the official FreeRDP distribution and in any environment that uses a client built from an older source tree. The affected product is specifically named FreeRDP:FreeRDP and all versions earlier than 3.23.0.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than one percent suggests a very low likelihood of exploitation in the wild at present. The flaw is reachable over the network: an attacker who controls or intercepts an RDP session can supply malicious icon data. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. Consequently, while the risk of exploitation is low, the possibility of accidental data leakage to a connected client or attack‑via‑man‑in‑the‑middle scenario exists.

Generated by OpenCVE AI on April 18, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FreeRDP to version 3.23.0 or later, which includes the buffer‑bounds fix.
  • If an immediate upgrade is not possible, disable or reject TS_ICON_INFO processing in the client configuration to eliminate the vulnerable code path.
  • Implement network monitoring or firewall rules to detect and block abnormal RDP icon data traffic, reducing the chance that malicious packets reach the client.

Generated by OpenCVE AI on April 18, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Wed, 25 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.
Title Buffer Overread in FreeRDP Icon Processing
Weaknesses CWE-126
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:50:49.130Z

Reserved: 2026-02-12T17:10:53.413Z

Link: CVE-2026-26271

cve-icon Vulnrichment

Updated: 2026-02-26T15:50:43.443Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:42.713

Modified: 2026-02-27T16:46:56.747

Link: CVE-2026-26271

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:40:19Z

Links: CVE-2026-26271 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses