CVE-2026-23531
Heap Buffer Overflow in FreeRDP ClearCodec Causes Potential Code Execution
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.21.0 (exc) |
| freerdp | freerdp | 3.21.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23531 is a heap-based buffer overflow vulnerability in FreeRDP versions up to 3.20.2, specifically in the ClearCodec component during decompression. When glyph data is present, the function clear_decompress calls freerdp_image_copy_no_overlap without validating the destination rectangle coordinates against the surface boundaries. This lack of bounds checking allows a malicious RDP server to send crafted surface updates with out-of-bounds destination rectangles, causing out-of-bounds reads and writes on the heap buffer. This can lead to heap corruption, crashes (denial of service), and potentially arbitrary code execution depending on heap layout and allocator behavior. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a malicious RDP server to cause your FreeRDP client to crash due to heap buffer overflow, resulting in denial of service. More severely, it may allow the attacker to execute arbitrary code on your system if the heap layout and allocator behavior are favorable, potentially compromising your system's security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the FreeRDP client version in use is prior to 3.21.0, as these versions contain the vulnerable ClearCodec component. Since the vulnerability is triggered by crafted RDPGFX surface updates from a malicious server, monitoring RDP traffic for unusual or malformed RDPGFX surface update packets could indicate exploitation attempts. However, no specific detection commands are provided in the resources. A practical approach is to check the FreeRDP client version installed on your system using commands like `freerdp --version` or checking package manager information to confirm if the version is older than 3.21.0. Additionally, monitoring application crashes or heap corruption events related to FreeRDP during RDP sessions may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the FreeRDP client to version 3.21.0 or later, as this version contains the patch that fixes CVE-2026-23531 by improving input validation and bounds checking in the ClearCodec component. If upgrading is not immediately possible, consider restricting connections to trusted RDP servers only and monitoring for suspicious RDPGFX surface update traffic. Applying any available security patches or updates from your operating system or distribution that include the FreeRDP 3.21.0 release is also recommended. [2]