CVE-2026-31806
Heap Buffer Overflow in FreeRDP NSCodec Bitmap Decoding
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31806 is a high-severity heap buffer overflow vulnerability in FreeRDP versions up to 3.23.0. It occurs in the gdi_surface_bits() function, which processes SURFACE_BITS_COMMAND messages from an RDP server. When handling these commands using the NSCodec path, the bitmap width (bmp.width) and height (bmp.height) values provided by the server are not properly validated against the actual desktop dimensions negotiated during the RDP session.
Because the bmp.width and bmp.height values can exceed the expected surface size and are used during bitmap decoding and memory operations without proper bounds checking, a malicious RDP server can cause a heap buffer overflow. This overflow can overwrite adjacent heap memory since the attacker controls both the bitmap dimensions and the associated pixel data.
This vulnerability can lead to heap corruption and potentially remote code execution. It was fixed in FreeRDP version 3.24.0 by adding proper boundary checks to ensure the bitmap fits within the allocated buffer.
How can this vulnerability impact me? :
This vulnerability can allow a malicious RDP server to cause a heap buffer overflow in a FreeRDP client by sending crafted bitmap dimensions and pixel data. The overflow can overwrite adjacent heap memory, potentially leading to heap corruption.
The impact includes the possibility of remote code execution (RCE) on the client machine, which means an attacker could execute arbitrary code with the privileges of the FreeRDP process.
In some builds, this may cause silent memory corruption without immediate crashes, making it harder to detect. In debug builds with AddressSanitizer, the overflow is detected and reported.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal or crafted SURFACE_BITS_COMMAND messages sent by an RDP server that contain bitmap width and height values exceeding the expected desktop dimensions.
In builds instrumented with AddressSanitizer (ASAN), attempts to process these crafted messages will trigger error reports indicating heap buffer overflows.
A proof-of-concept test harness exists that simulates the overflow by invoking the vulnerable function with oversized bitmap dimensions (e.g., 4000Γ4000 pixels) against a smaller desktop buffer (e.g., 1024Γ768).
While no specific detection commands are provided, using ASAN-instrumented FreeRDP builds and running the PoC test harness can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.24.0 or later, where this vulnerability has been fixed.
The fix involves added boundary checks in the function processing SURFACE_BITS_COMMAND messages to ensure bitmap dimensions do not exceed the allocated buffer size, preventing heap buffer overflow.
Until the upgrade is applied, avoid connecting to untrusted or potentially malicious RDP servers that could exploit this vulnerability.