Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
Published: 2026-05-29
Score: 8.8 High
EPSS: 3.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreeRDP, the open‑source Remote Desktop Protocol implementation, contains a heap‑buffer‑overflow flaw in its server‑side clipboard (cliprdr) channel. The vulnerability is triggered when a malicious RDP client sends a CB_CLIP_CAPS packet with an undersized capabilitySetLength, causing an out‑of‑bounds heap write. The result is a server crash that provides a remote denial‑of‑service, and the corrupted heap state creates a realistic possibility for arbitrary code execution. This weakness is a classic heap corruption problem classified as CWE‑122.

Affected Systems

All FreeRDP server installations running a version older than 3.26.0 are affected, regardless of the operating system. The flaw exists in the cliprdr channel, so any deployment that has this channel enabled is vulnerable. The issue was resolved in release 3.26.0; systems that have not applied the update remain exposed.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of 4% suggests a modest likelihood of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. The exploit can be carried out remotely via an RDP session: an attacker who can reach the target over the network and initiate an RDP connection can send the malformed packet, triggering the overflow.

Generated by OpenCVE AI on June 24, 2026 at 12:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeRDP server to version 3.26.0 or later.
  • If upgrading is not immediately possible, disable the cliprdr channel on the server to eliminate the attack surface.
  • Restrict RDP access to trusted clients and monitor for abnormal connections or crashes.

Generated by OpenCVE AI on June 24, 2026 at 12:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 01 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.
Title FreeRDP cliprdr server heap-buffer-overflow via undersized capabilitySetLength in CB_CLIP_CAPS
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T12:06:14.073Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44420

cve-icon Vulnrichment

Updated: 2026-07-08T12:06:14.073Z

cve-icon NVD

Status : Modified

Published: 2026-05-29T20:16:24.383

Modified: 2026-06-02T03:16:17.143

Link: CVE-2026-44420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow