CVE-2026-40033
Received Received - Intake
Heap-Buffer-Overflow in FreeRDP

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-40033
EUVD
EUVD-2026-31830
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-40033 is a heap-buffer-overflow vulnerability in the FreeRDP client library, specifically in the gdi_CacheToSurface function of the RDPGFX component.

The vulnerability occurs because the rectangle validation clamps coordinates to UINT16_MAX, but the actual copy operation uses the original, unclamped cache entry dimensions. This mismatch allows a malicious RDP server to cause large out-of-bounds writes to heap memory.

An attacker can exploit this by sending crafted RDPGFX PDUs to a FreeRDP client with RDPGFX enabled, potentially causing client crashes or enabling remote code execution.

The vulnerability affects FreeRDP versions up to and including 3.25.0 and was fixed in version 3.26.0.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including remote code execution and client crashes.

A remote attacker controlling a malicious RDP server can exploit this flaw to write out-of-bounds heap memory, potentially executing arbitrary code on the client system without requiring any privileges.

User interaction is limited to connecting to the malicious server, making it a high-risk vulnerability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-40033 vulnerability, you should upgrade FreeRDP to version 3.26.0 or later, where the heap-buffer-overflow issue in the gdi_CacheToSurface function has been fixed.

Avoid connecting to untrusted or potentially malicious RDP servers, as the vulnerability can be triggered by crafted RDPGFX PDUs sent from such servers.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart