CVE-2026-23531
Unknown Unknown - Not Provided
Heap Buffer Overflow in FreeRDP ClearCodec Causes Potential Code Execution

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23531
EUVD
EUVD-2026-3317
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freerdp freerdp to 3.21.0 (exc)
freerdp freerdp 3.21.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23531 is a heap-based buffer overflow vulnerability in FreeRDP versions up to 3.20.2, specifically in the ClearCodec component during decompression. When glyph data is present, the function clear_decompress calls freerdp_image_copy_no_overlap without validating the destination rectangle coordinates against the surface boundaries. This lack of bounds checking allows a malicious RDP server to send crafted surface updates with out-of-bounds destination rectangles, causing out-of-bounds reads and writes on the heap buffer. This can lead to heap corruption, crashes (denial of service), and potentially arbitrary code execution depending on heap layout and allocator behavior. [1]

Impact Analysis

This vulnerability can impact you by allowing a malicious RDP server to cause your FreeRDP client to crash due to heap buffer overflow, resulting in denial of service. More severely, it may allow the attacker to execute arbitrary code on your system if the heap layout and allocator behavior are favorable, potentially compromising your system's security. [1]

Detection Guidance

Detection of this vulnerability involves identifying if the FreeRDP client version in use is prior to 3.21.0, as these versions contain the vulnerable ClearCodec component. Since the vulnerability is triggered by crafted RDPGFX surface updates from a malicious server, monitoring RDP traffic for unusual or malformed RDPGFX surface update packets could indicate exploitation attempts. However, no specific detection commands are provided in the resources. A practical approach is to check the FreeRDP client version installed on your system using commands like `freerdp --version` or checking package manager information to confirm if the version is older than 3.21.0. Additionally, monitoring application crashes or heap corruption events related to FreeRDP during RDP sessions may help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the FreeRDP client to version 3.21.0 or later, as this version contains the patch that fixes CVE-2026-23531 by improving input validation and bounds checking in the ClearCodec component. If upgrading is not immediately possible, consider restricting connections to trusted RDP servers only and monitoring for suspicious RDPGFX surface update traffic. Applying any available security patches or updates from your operating system or distribution that include the FreeRDP 3.21.0 release is also recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart