Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Published: 2026-02-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

FreeRDP clients that use the GDI surface pipeline are vulnerable to a heap buffer overflow caused by an RDP server that sends an RDPGFX ClearCodec command with an out-of-bounds destination rectangle. The lack of bounds checking in the gdi_SurfaceCommand_ClearCodec handler allows the attacker to write beyond the intended surface data, corrupting a pointer inside the gdiGfxSurface structure. This corruption leads to an indirect function pointer call that an attacker can control, enabling full instruction pointer takeover and arbitrary code execution on the client.

Affected Systems

The affected product is FreeRDP, with all releases before version 3.23.0 vulnerable, including the xfreerdp client that utilizes the GDI surface pipeline. No other vendors or product variations are mentioned in the CVE.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity RCE. The EPSS score is less than 1%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation yet. However, the vulnerability can be triggered by any RDP server that a client connects to, meaning an attacker only needs to host a malicious RDP server or control an existing one. The demonstration of an exploit harness confirms that remote exploitation is practical, so the risk remains significant if the client connects to an untrusted server.

Generated by OpenCVE AI on April 17, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all FreeRDP clients to version 3.23.0 or later to apply the bounds‑checking patch in gdi_SurfaceCommand_ClearCodec.
  • Restrict RDP client connections to trusted servers only, and block unexpected RDPGFX ClearCodec packets that specify out‑of‑bounds rectangles via firewall or packet‑inspection rules.
  • Upon patching, validate that the GDI surface pipeline is enabled only when required, or switch to an alternative rendering pipeline that does not process ClearCodec commands, to reduce the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Wed, 25 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Title FreeRDP has Out-of-bounds Write
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:30:46.008Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26955

cve-icon Vulnrichment

Updated: 2026-02-26T20:30:41.412Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:42.863

Modified: 2026-02-27T14:50:07.533

Link: CVE-2026-26955

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-25T20:47:14Z

Links: CVE-2026-26955 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses