CVE-2026-31806Heap-based Buffer Overflow in Freerdp

CWE-122Heap-based Buffer OverflowCWE-131Incorrect Calculation of Buffer Size7 documents7 sources
Severity
9.3CRITICALNVD
EPSS
0.0%
top 94.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Freerdp
Timeline
PublishedMar 13

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitm

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5freerdp/freerdp< 3.24.0
NVDfreerdp/freerdp< 3.24.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
CVE-2026-31806: FreeRDP is a free implementation of the Remote Desktop Protocol2026-03-13
CVEList
FreeRDP has a Heap Buffer Overflow in nsc_process_message() via Unchecked SURFACE_BITS_COMMAND Bitmap Dimensions2026-03-13

📋Vendor Advisories

2
Red Hat
freerdp: FreeRDP: Arbitrary code execution via crafted Remote Desktop Protocol (RDP) server messages2026-03-13
Debian
CVE-2026-31806: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-31806 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-31806 freerdp: FreeRDP: Arbitrary code execution via crafted Remote Desktop Protocol (RDP) server messages2026-03-13