Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious RDP client can send a CB_CLIP_CAPS PDU with an undersized capabilitySetLength to a FreeRDP server. This causes a heap-buffer-overflow write in the server‑side clipboard (cliprdr) channel. The overflow can crash the server, resulting in a denial‑of‑service, and it may corrupt heap memory in a way that could lead to arbitrary code execution if an attacker can control the corrupted data. The flaw is a classic heap corruption problem classified as CWE‑122.

Affected Systems

FreeRDP FreeRDP servers running any version prior to 3.26.0 are affected. The vulnerability was fixed in release 3.26.0, so any deployment of an older version is vulnerable unless otherwise patched.

Risk and Exploitability

The CVSS score of 8.8 reflects a high risk. EPSS data is not available, and the vulnerability is not listed in CISA KEV, suggesting that the Exploit Development Phase is moderate. The likely attack vector involves a remote RDP client initiating a connection to the target server and sending the malformed CB_CLIP_CAPS packet. An attacker who can establish an RDP session, including trusted or unauthenticated access, can trigger the overflow, causing a crash and potentially executing code if heap corruption leads to executable payload placement. The exploitation requires the victim to be running a vulnerable FreeRDP server in a network reachable to the attacker.

Generated by OpenCVE AI on May 29, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeRDP server to version 3.26.0 or later
  • If an upgrade is not immediately possible, disable the cliprdr (clipboard) channel on the server to prevent the vulnerability from being exercised
  • Restrict RDP access to trusted clients and monitor server logs for abnormal RDP sessions or crashes

Generated by OpenCVE AI on May 29, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
Title FreeRDP cliprdr server heap-buffer-overflow via undersized capabilitySetLength in CB_CLIP_CAPS
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:42:23.460Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:24.383

Modified: 2026-05-29T20:22:37.383

Link: CVE-2026-44420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses