Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
Published: 2026-03-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow occurs in the FreeRDP’s nsc_process_message() function when it processes SURFACE_BITS_COMMAND messages. As described, the function gdi_surface_bits() is unable to validate the bitmap width and height values supplied by the RDP server, allowing those values to exceed the actual desktop surface dimensions. The unchecked values are used during bitmap decoding and memory operations, resulting in an uncontrolled overflow that can overwrite adjacent heap memory. This vulnerability could enable an attacker to execute arbitrary code or crash the client. Key detail from vendor description: *"This vulnerability is fixed in 3.24.0."*

Affected Systems

The issue affects the FreeRDP implementation of the Remote Desktop Protocol up to version 3.23.x and earlier. Any deployment of FreeRDP that processes SURFACE_BITS_COMMAND messages via NSCodec without the 3.24.0 update is vulnerable. The vendor explicitly lists FreeRDP:FreeRDP as the impacted product.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. Though the vulnerability is not listed in the CISA KEV catalog, its nature allows an attacker who controls a malicious RDP server to send crafted bitmap commands over the network, thereby exploiting the unchecked dimensions. Based on the description, it is inferred that the attack vector is remote network traffic. The potential impact includes arbitrary code execution on the affected client system.

Generated by OpenCVE AI on March 17, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the FreeRDP patch to version 3.24.0 or newer.
  • If the patch cannot be applied immediately, limit RDP connections to trusted IP ranges or enforce VPN access to restrict who can serve RDP commands.
  • Monitor system logs for abnormal SURFACE_BITS_COMMAND entries and consider disabling support for NSCodec-generated bitmap messages if not required.

Generated by OpenCVE AI on March 17, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Sun, 15 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 14 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 13 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
Title FreeRDP has a Heap Buffer Overflow in nsc_process_message() via Unchecked SURFACE_BITS_COMMAND Bitmap Dimensions
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-15T01:51:18.600Z

Reserved: 2026-03-09T16:33:42.913Z

Link: CVE-2026-31806

cve-icon Vulnrichment

Updated: 2026-03-15T01:50:40.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:36.300

Modified: 2026-03-17T14:27:20.100

Link: CVE-2026-31806

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T17:40:19Z

Links: CVE-2026-31806 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:39Z

Weaknesses