CVE-2026-23534
Heap Buffer Overflow in FreeRDP ClearCodec Causes Potential Code Execution
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.21.0 (exc) |
| freerdp | freerdp | to 3.20.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23534 is a heap-based buffer overflow vulnerability in FreeRDP versions up to 3.20.2, specifically in the ClearCodec bands decode path. The flaw occurs because the code incorrectly allows band coordinates equal to the destination surface's width or height, leading to out-of-bounds writes past the end of the allocated surface buffer. This happens in the function processing graphics data from a server, where improper bounds checking causes writes beyond the buffer, potentially causing crashes or heap corruption. The vulnerability can be triggered by a malicious server sending crafted data. It was fixed in FreeRDP version 3.21.0 by tightening the bounds checks. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a malicious server to cause a client-side heap buffer overflow in FreeRDP, which may lead to a crash (denial of service) or heap corruption. Depending on the memory allocator behavior and heap layout, it could also allow arbitrary code execution on the client machine, posing a significant security risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring FreeRDP client versions and network traffic for suspicious or malformed WIRE_TO_SURFACE_PDU_1 messages containing crafted band coordinates that may trigger the heap buffer overflow. Since the vulnerability occurs in the ClearCodec bands decode path when processing these messages, detection could involve checking the FreeRDP client version to ensure it is below 3.21.0 and using debugging or memory analysis tools like AddressSanitizer to detect out-of-bounds writes during FreeRDP usage. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.21.0 or later, which contains the patch that fixes the heap buffer overflow by correcting the boundary checks in the ClearCodec bands decode path. Additionally, avoid connecting to untrusted or potentially malicious Remote Desktop servers until the update is applied. [1]