Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑buffer‑overflow occurs in the FreeRDP client’s gdi_CacheToSurface function when handling RDPGFX packets. The function clamps a destination rectangle to a 16‑bit maximum but copies data using the original, potentially oversized, width and height values. This flaw can cause a large out‑of‑bounds write, leading to client crashes or execution of arbitrary code on the client machine. The weakness is a classic buffer overflow (CWE‑122).

Affected Systems

The vulnerability affects the FreeRDP client prior to version 3.26.0. Clients that have RDPGFX enabled are susceptible; any deployment of FreeRDP 3.25.x or earlier running RDPGFX is at risk.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity impact. The EPSS score is currently not available, and the issue is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet. A malicious RDP server can trigger the flaw remotely; the attacker only needs to send crafted RDPGFX PDUs to an affected client with RDPGFX enabled. The attack vector is server‑initiated remote exploitation and requires no special client privileges beyond normal usage. Given the high severity and potential for code execution, the risk to exposed or internal networks remains significant.

Generated by OpenCVE AI on May 29, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeRDP 3.26.0 or later to apply the buffer‑overflow fix.
  • If RDPGFX functionality is not required, disable it on all clients to eliminate the attack surface.
  • Block or limit RDP traffic from untrusted servers to mitigate exploitation risk.

Generated by OpenCVE AI on May 29, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.
Title FreeRDP RDPGFX CacheToSurface heap-buffer-overflow via clamped-rectangle validation bypass
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:40:25.492Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44421

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:24.513

Modified: 2026-05-29T20:22:37.383

Link: CVE-2026-44421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T22:00:09Z

Weaknesses