CVE-2026-23533
Unknown Unknown - Not Provided
Heap Buffer Overflow in FreeRDP RDPGFX Causes Potential Code Execution

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23533
EUVD
EUVD-2026-3315
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freerdp freerdp to 3.21.0 (exc)
freerdp freerdp to 3.20.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap-based buffer overflow in FreeRDP versions prior to 3.21.0, occurring in the client-side RDPGFX ClearCodec decode path. When the client processes maliciously crafted residual data from a server, it causes out-of-bounds writes during color output due to an integer overflow in buffer size calculation and insufficient bounds checking. This leads to writing beyond the allocated heap buffer, potentially causing crashes or heap corruption. [1]

Impact Analysis

A malicious RDP server can exploit this vulnerability to cause the FreeRDP client to crash, resulting in a denial of service. Additionally, depending on the memory allocator behavior and heap layout, the heap corruption caused by the overflow may allow an attacker to execute arbitrary code on the client machine, posing a significant security risk. [1]

Detection Guidance

This vulnerability can be detected by monitoring FreeRDP client crashes or abnormal behavior when connecting to RDP servers, especially those sending malformed RDPGFX ClearCodec data. Using debugging tools like AddressSanitizer can help detect heap-buffer-overflows during testing. There are no specific network commands provided to detect this vulnerability directly. However, monitoring for crashes related to the ClearCodec decode path or analyzing RDP traffic for suspicious WIRE_TO_SURFACE_PDU_1 packets with unusually large width and height parameters might help identify exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade FreeRDP to version 3.21.0 or later, where the vulnerability has been patched. The patch includes changing buffer size calculations to use 64-bit integers to prevent integer overflow and buffer overflow. Until upgrading, avoid connecting to untrusted RDP servers, as a malicious server can exploit this vulnerability to crash the client or execute arbitrary code. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23533. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart