CVE-2026-26955Out-of-bounds Write in Freerdp

CWE-787Out-of-bounds WriteCWE-805Buffer Access with Incorrect Length Value8 documents8 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 79.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Freerdp
Timeline
PublishedFeb 25
Latest updateMar 18

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5freerdp/freerdp< 3.23.0
NVDfreerdp/freerdp< 3.23.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
FreeRDP has Out-of-bounds Write2026-02-25
OSV
CVE-2026-26955: FreeRDP is a free implementation of the Remote Desktop Protocol2026-02-25

📋Vendor Advisories

3
Ubuntu
FreeRDP vulnerabilities2026-03-18
Red Hat
freerdp: FreeRDP: Arbitrary code execution via heap buffer overflow in GDI surface pipeline2026-02-25
Debian
CVE-2026-26955: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-26955 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-26955 freerdp: FreeRDP: Arbitrary code execution via heap buffer overflow in GDI surface pipeline2026-02-26