CVE-2026-23532
Unknown Unknown - Not Provided
Heap Buffer Overflow in FreeRDP Client Causes Potential Code Execution

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23532
EUVD
EUVD-2026-3316
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a client-side heap buffer overflow in the FreeRDP client, specifically in the gdi_SurfaceToSurface function. It occurs because the destination rectangle coordinates are clamped to a maximum value, but the actual copy size used in the image copy operation is not properly clamped. This mismatch allows a malicious server to trigger an out-of-bounds write during a surface-to-surface image copy, causing a heap buffer overflow. This can lead to a crash (denial of service) and potentially heap corruption, which might be exploited for arbitrary code execution depending on memory allocator behavior and heap layout. The issue affects FreeRDP versions prior to 3.21.0 and was fixed by properly clamping the copy size to prevent out-of-bounds writes. [1]

Impact Analysis

This vulnerability can impact you by allowing a malicious server to cause the FreeRDP client to crash, resulting in a denial of service. Additionally, it may lead to heap corruption that could be exploited to execute arbitrary code on the client system, depending on the memory allocator behavior and heap layout. This means an attacker could potentially take control of the client machine or disrupt its normal operation. [1]

Detection Guidance

This vulnerability can be detected by monitoring FreeRDP client behavior for crashes or abnormal terminations during Remote Desktop sessions, especially when connecting to potentially untrusted servers. Since the issue involves a heap buffer overflow triggered by a SurfaceToSurface PDU with large surface dimensions, detection might involve analyzing network traffic for unusually large or malformed SurfaceToSurface PDUs. However, no specific detection commands or signatures are provided in the available resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the FreeRDP client to version 3.21.0 or later, where the vulnerability has been patched by properly clamping the copy size parameters to prevent out-of-bounds writes. Until the upgrade is applied, avoid connecting to untrusted or potentially malicious Remote Desktop servers that could exploit this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23532. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart