Description
FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.
Published: 2026-05-26
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreeRDP before 3.26.0 contains a heap‑buffer‑overflow vulnerability in the gdi_CacheToSurface function that allows remote attackers to write out‑of‑bounds heap memory. The bug arises because rectangle validation clamps coordinates to UINT16_MAX while copy operations use unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out‑of‑bounds writes that can lead to remote code execution or client crashes.

Affected Systems

The affected product is FreeRDP, all installations of which are vulnerable when their version is older than 3.26.0. Users running FreeRDP clients that connect to Remote Desktop Protocol servers on their networks may be impacted.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity vulnerability, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker controlling an RDP server that sends specially crafted rectangle parameters to a FreeRDP client; the attack can be performed remotely over the network if the client is reachable. Given the potential for remote code execution, the risk is significant and the vulnerability should be addressed promptly.

Generated by OpenCVE AI on May 26, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeRDP client to version 3.26.0 or newer in which the heap‑buffer‑overflow has been fixed.
  • If an upgrade is not immediately possible, block or restrict inbound RDP traffic to the client from untrusted networks until the patch is applied.
  • Alternatively, review the FreeRDP configuration to disable or limit the use of gdi_CacheToSurface or rectangle validation features that are known to trigger the overflow.

Generated by OpenCVE AI on May 26, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.
Title FreeRDP - Heap-buffer-overflow in gdi_CacheToSurface via rectangle validation bypass
First Time appeared Freerdp
Freerdp freerdp
Weaknesses CWE-122
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Vendors & Products Freerdp
Freerdp freerdp
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T15:21:18.084Z

Reserved: 2026-04-08T13:36:55.304Z

Link: CVE-2026-40033

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T15:16:34.480

Modified: 2026-05-26T15:16:34.480

Link: CVE-2026-40033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:30:08Z

Weaknesses