CVE-2026-40033
Analyzed Analyzed - Analysis Complete
Heap-Buffer-Overflow in FreeRDP

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: VulnCheck

Description
FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40033
EUVD
EUVD-2026-31830
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-40033 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40033 is a heap-buffer-overflow vulnerability in the FreeRDP client library, specifically in the gdi_CacheToSurface function of the RDPGFX component.

The vulnerability occurs because the rectangle validation clamps coordinates to UINT16_MAX, but the actual copy operation uses the original, unclamped cache entry dimensions. This mismatch allows a malicious RDP server to cause large out-of-bounds writes to heap memory.

An attacker can exploit this by sending crafted RDPGFX PDUs to a FreeRDP client with RDPGFX enabled, potentially causing client crashes or enabling remote code execution.

The vulnerability affects FreeRDP versions up to and including 3.25.0 and was fixed in version 3.26.0.

Impact Analysis

This vulnerability can have serious impacts including remote code execution and client crashes.

A remote attacker controlling a malicious RDP server can exploit this flaw to write out-of-bounds heap memory, potentially executing arbitrary code on the client system without requiring any privileges.

User interaction is limited to connecting to the malicious server, making it a high-risk vulnerability.

Mitigation Strategies

To mitigate the CVE-2026-40033 vulnerability, you should upgrade FreeRDP to version 3.26.0 or later, where the heap-buffer-overflow issue in the gdi_CacheToSurface function has been fixed.

Avoid connecting to untrusted or potentially malicious RDP servers, as the vulnerability can be triggered by crafted RDPGFX PDUs sent from such servers.

Detection Guidance

This vulnerability occurs when a FreeRDP client connects to a malicious RDP server that sends specially crafted RDPGFX PDUs triggering a heap-buffer-overflow in the gdi_CacheToSurface function.

Detection on the network or system would involve monitoring for connections to potentially malicious RDP servers or analyzing FreeRDP client behavior for crashes or abnormal memory writes during RDP sessions.

Since the vulnerability is triggered by crafted RDPGFX packets, one approach is to identify FreeRDP client versions before 3.26.0 running on your systems, as these are vulnerable.

Suggested commands to detect vulnerable FreeRDP versions on your system include:

  • Check FreeRDP version installed: `xfreerdp /version` or `freerdp-shadow-cli --version`
  • Use package manager queries, e.g., `dpkg -l | grep freerdp` on Debian-based systems or `rpm -qa | grep freerdp` on RPM-based systems.

For network detection, monitoring RDP traffic for unusual or malformed RDPGFX PDUs would require deep packet inspection tools or custom IDS/IPS signatures, but no specific commands or signatures are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40033. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart