CVE-2026-23532
published 2026-01-19CVE-2026-23532: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.43%
34.7th percentile
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | freerdp2 | < freerdp3 3.21.0+dfsg-1 (forky) | freerdp3 3.21.0+dfsg-1 (forky) |
| debian | freerdp3 | < freerdp3 3.21.0+dfsg-1 (forky) | freerdp3 3.21.0+dfsg-1 (forky) |
| freerdp | freerdp | < 3.21.0 | 3.21.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor FreeRDP client processes for unexpected crashes or heap corruption signals (e.g., SIGABRT, SIGSEGV) originating from the `gdi_SurfaceToSurface` code path, which may indicate exploitation attempts ↗
- →Flag FreeRDP client connections to untrusted or unknown RDP servers; exploitation requires the client to connect to a maliciously-configured server ↗
- ·Debian bookworm and bullseye packages remain open (unpatched) as of the tracker update; monitor the Debian security tracker for fix availability. ↗
- ·Red Hat Enterprise Linux 6 will not receive a fix for this CVE. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.7HIGH
vendor_debian7.7HIGH
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
FreeRDP vulnerabilities
vendor_ubuntu·2026-03-18
CVE-2026-25954 FreeRDP vulnerabilities
Title: FreeRDP vulnerabilities
Summary: Several security issues were fixed in FreeRDP.
It was discovered that FreeRDP incorrectly handled certain RDP packets. A
remote attacker could use this issue to cause FreeRDP to crash, resulting
in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
FreeRDP vulnerabilities
vendor_ubuntu·2026-02-03
CVE-2026-23533 FreeRDP vulnerabilities
Title: FreeRDP vulnerabilities
Summary: Several security issues were fixed in FreeRDP.
Kim Dong Han discovered that FreeRDP did not correctly validate the size of
certain variables, which could cause a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code.
Instructions: After a standard system update you need to restart your session to make all
the necessary changes.
Red Hat
freerdp: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow
vendor_redhat·2026-01-19·CVSS 7.7
CVE-2026-23532 [HIGH] CWE-122 freerdp: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow
freerdp: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
A flaw was found in FreeRDP. A malicious server can exploit a client-side heap buffer overflow vulnerability in the `gdi_SurfaceToSurface` path. This vulnerability, caused by a
Debian
CVE-2026-23532: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio...
vendor_debian·2026·CVSS 7.7
CVE-2026-23532 [HIGH] CVE-2026-23532: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio...
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Scope: local
bookworm: open
bullseye: open
VulDB
FreeRDP up to 3.20.x gdi_SurfaceToSurface heap-based overflow (GHSA-fq8c-87hj-7gvr / EUVD-2026-3316)
vuldb·2026-06-11·CVSS 9.8
CVE-2026-23532 [CRITICAL] FreeRDP up to 3.20.x gdi_SurfaceToSurface heap-based overflow (GHSA-fq8c-87hj-7gvr / EUVD-2026-3316)
A vulnerability classified as critical has been found in FreeRDP up to 3.20.x. This vulnerability affects the function gdi_SurfaceToSurface. The manipulation leads to heap-based buffer overflow.
This vulnerability is referenced as CVE-2026-23532. Remote exploitation of the attack is possible. No exploit is available.
It is recommended to upgrade the affected component.
OSV
CVE-2026-23532: FreeRDP is a free implementation of the Remote Desktop Protocol
osv·2026-01-19·CVSS 7.7
CVE-2026-23532 [HIGH] CVE-2026-23532: FreeRDP is a free implementation of the Remote Desktop Protocol
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-23532 freerdp: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow
bugzilla·2026-01-19·CVSS 7.7
CVE-2026-23532 [HIGH] CVE-2026-23532 freerdp: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow
CVE-2026-23532 freerdp: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:2048 https://access.redhat.com/errata/RHSA-2026:2
Bugzilla
CVE-2026-23532 freerdp2: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow [fedora-42]
bugzilla·2026-01-19·CVSS 7.7
CVE-2026-23532 [HIGH] CVE-2026-23532 freerdp2: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow [fedora-42]
CVE-2026-23532 freerdp2: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in
Wiz
CVE-2026-23532 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-23532 [HIGH] CVE-2026-23532 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23532 :
NixOS vulnerability analysis and mitigation
gdi_SurfaceToSurface
Source : NVD
## 7.7
Score
Published January 19, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
NixOS
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
libwinpr-devel
freerdp-wayland
Sources
NVD
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 08, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 11, 2026
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23 Severity CRITICAL Has Fix Added at: Jan 29, 2026
Alpine edge Severity CRITICAL Has Fix Added at: Jan 26, 202
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvrhttps://access.redhat.com/errata/RHSA-2026:2048https://access.redhat.com/errata/RHSA-2026:2081https://access.redhat.com/errata/RHSA-2026:2222https://access.redhat.com/errata/RHSA-2026:2714https://access.redhat.com/errata/RHSA-2026:2736https://access.redhat.com/errata/RHSA-2026:2770https://access.redhat.com/errata/RHSA-2026:2824https://access.redhat.com/errata/RHSA-2026:2952https://access.redhat.com/errata/RHSA-2026:3036https://access.redhat.com/errata/RHSA-2026:3037https://access.redhat.com/errata/RHSA-2026:3038https://access.redhat.com/errata/RHSA-2026:3039https://access.redhat.com/errata/RHSA-2026:3041https://access.redhat.com/security/cve/CVE-2026-23532https://bugzilla.redhat.com/show_bug.cgi?id=2430891https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23532.json
2026-01-19
Published