CVE-2026-23532
Heap Buffer Overflow in FreeRDP Client Causes Potential Code Execution
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a client-side heap buffer overflow in the FreeRDP client, specifically in the gdi_SurfaceToSurface function. It occurs because the destination rectangle coordinates are clamped to a maximum value, but the actual copy size used in the image copy operation is not properly clamped. This mismatch allows a malicious server to trigger an out-of-bounds write during a surface-to-surface image copy, causing a heap buffer overflow. This can lead to a crash (denial of service) and potentially heap corruption, which might be exploited for arbitrary code execution depending on memory allocator behavior and heap layout. The issue affects FreeRDP versions prior to 3.21.0 and was fixed by properly clamping the copy size to prevent out-of-bounds writes. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a malicious server to cause the FreeRDP client to crash, resulting in a denial of service. Additionally, it may lead to heap corruption that could be exploited to execute arbitrary code on the client system, depending on the memory allocator behavior and heap layout. This means an attacker could potentially take control of the client machine or disrupt its normal operation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring FreeRDP client behavior for crashes or abnormal terminations during Remote Desktop sessions, especially when connecting to potentially untrusted servers. Since the issue involves a heap buffer overflow triggered by a SurfaceToSurface PDU with large surface dimensions, detection might involve analyzing network traffic for unusually large or malformed SurfaceToSurface PDUs. However, no specific detection commands or signatures are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the FreeRDP client to version 3.21.0 or later, where the vulnerability has been patched by properly clamping the copy size parameters to prevent out-of-bounds writes. Until the upgrade is applied, avoid connecting to untrusted or potentially malicious Remote Desktop servers that could exploit this vulnerability. [1]