CVE-2026-26955
Received Received - Intake
Heap Buffer Overflow in FreeRDP GDI Surface Enables Code Execution

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command β€” full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26955
EUVD
EUVD-2026-8739
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability is triggered by a malicious RDP server sending crafted ClearCodec surface commands with out-of-bounds destination rectangles to a FreeRDP client using the GDI surface pipeline (e.g., xfreerdp). Detection involves monitoring RDP traffic for suspicious ClearCodec commands with destination rectangle coordinates that exceed expected surface dimensions.

Specifically, detection can focus on identifying ClearCodec commands where the rectangle offsets (cmd->left, cmd->top) are outside the valid surface bounds, which the vulnerable FreeRDP client fails to validate.

While no explicit commands are provided in the resources, network administrators can use packet capture tools (e.g., Wireshark or tcpdump) to capture RDP traffic and filter for ClearCodec surface commands. Analyzing these packets for out-of-bounds rectangle parameters could indicate exploitation attempts.

On the client system, monitoring for crashes or abnormal behavior in FreeRDP clients (such as xfreerdp) when connecting to RDP servers may also indicate exploitation attempts, as the vulnerability leads to heap corruption and potential crashes.

Executive Summary

CVE-2026-26955 is a critical heap buffer overflow vulnerability in FreeRDP versions prior to 3.23.0, specifically in the handling of the ClearCodec surface command within the GDI surface pipeline (such as the xfreerdp client).

The vulnerability arises because the function responsible for processing ClearCodec commands, `gdi_SurfaceCommand_ClearCodec()`, does not validate the destination rectangle coordinates against the surface dimensions. This missing bounds check allows a malicious RDP server to send crafted commands with out-of-bounds rectangle values.

As a result, the client performs out-of-bounds writes into the heap-allocated surface pixel buffer, corrupting adjacent memory structures, specifically a pointer to codec data. This corruption can be exploited to hijack control flow and achieve remote code execution on the client.

Impact Analysis

This vulnerability allows a malicious RDP server to execute arbitrary code on a vulnerable FreeRDP client by exploiting a heap buffer overflow triggered during processing of crafted ClearCodec commands.

The impact includes potential full compromise of the client system, as the attacker can gain control over the instruction pointer and execute code with the privileges of the FreeRDP client process.

Additionally, this can lead to crashes or denial of service if the exploit is not successful, disrupting remote desktop sessions.

Compliance Impact

I don't know

Mitigation Strategies

The primary mitigation step is to upgrade FreeRDP clients to version 3.23.0 or later, where the vulnerability has been patched by adding proper bounds validation in the ClearCodec surface command handler.

If upgrading immediately is not possible, consider restricting or monitoring connections to untrusted or potentially malicious RDP servers, as the vulnerability is exploited by malicious servers sending crafted ClearCodec commands.

Additionally, applying any available patches or updates that fix boundary checks in codec decompression routines (such as those described in the commit fixing clear_decompress_subcodecs_data) can help reduce risk.

Implementing network-level protections such as firewall rules or intrusion detection systems to detect and block suspicious RDP traffic patterns may also help mitigate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart