CVE-2026-23533
Heap Buffer Overflow in FreeRDP RDPGFX Causes Potential Code Execution
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.21.0 (exc) |
| freerdp | freerdp | to 3.20.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-based buffer overflow in FreeRDP versions prior to 3.21.0, occurring in the client-side RDPGFX ClearCodec decode path. When the client processes maliciously crafted residual data from a server, it causes out-of-bounds writes during color output due to an integer overflow in buffer size calculation and insufficient bounds checking. This leads to writing beyond the allocated heap buffer, potentially causing crashes or heap corruption. [1]
How can this vulnerability impact me? :
A malicious RDP server can exploit this vulnerability to cause the FreeRDP client to crash, resulting in a denial of service. Additionally, depending on the memory allocator behavior and heap layout, the heap corruption caused by the overflow may allow an attacker to execute arbitrary code on the client machine, posing a significant security risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring FreeRDP client crashes or abnormal behavior when connecting to RDP servers, especially those sending malformed RDPGFX ClearCodec data. Using debugging tools like AddressSanitizer can help detect heap-buffer-overflows during testing. There are no specific network commands provided to detect this vulnerability directly. However, monitoring for crashes related to the ClearCodec decode path or analyzing RDP traffic for suspicious WIRE_TO_SURFACE_PDU_1 packets with unusually large width and height parameters might help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.21.0 or later, where the vulnerability has been patched. The patch includes changing buffer size calculations to use 64-bit integers to prevent integer overflow and buffer overflow. Until upgrading, avoid connecting to untrusted RDP servers, as a malicious server can exploit this vulnerability to crash the client or execute arbitrary code. [1]