CVE-2026-23732
Buffer Overflow in FreeRDP FastGlyph Parsing Causes DoS
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.21.0 (exc) |
| freerdp | freerdp | 3.21.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-based buffer overflow in FreeRDP versions prior to 3.21.0. It occurs during FastGlyph parsing where the code trusts the cbData field (remaining data length) without validating it against the minimum size required by the glyph dimensions (cx and cy). Specifically, the Glyph_Alloc function allocates memory based on an unvalidated cbData value and copies glyph data without consistency checks. This can cause the client to read beyond the allocated buffer, leading to a heap buffer overflow. A malicious RDP server can exploit this by sending crafted glyph data, causing the client application to crash (denial of service). The issue was fixed in version 3.21.0 by adding proper validation of glyph data size before allocation and copying. [4]
How can this vulnerability impact me? :
A malicious Remote Desktop Protocol (RDP) server can exploit this vulnerability by sending specially crafted glyph data to a FreeRDP client. This triggers a heap buffer overflow on the client side, which can cause the client application to crash, resulting in a denial of service (DoS). This means that users relying on FreeRDP to connect to RDP servers could experience unexpected application crashes and loss of remote desktop connectivity. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial of service events in FreeRDP clients prior to version 3.21.0 when connecting to potentially malicious RDP servers. Since the issue involves heap buffer overflow triggered by malformed FastGlyph data, one could use debugging tools like AddressSanitizer or memory error detectors to identify out-of-bounds reads in the freerdp_glyph_convert function. However, no specific network detection commands or signatures are provided in the resources. Monitoring logs for client crashes or unusual RDP session terminations may help detect exploitation attempts. [4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.21.0 or later, where the vulnerability has been patched by adding proper validation of glyph data size against expected dimensions before memory allocation and copying. Until the upgrade can be applied, avoid connecting to untrusted or potentially malicious RDP servers to reduce the risk of exploitation. [4]