CVE-2026-44421
Heap-Buffer-Overflow in FreeRDP Client
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.25.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-buffer-overflow in the FreeRDP client, specifically in the RDPGFX component. It occurs when a malicious RDP server sends specially crafted RDPGFX PDUs to a FreeRDP client that has RDPGFX enabled. The issue lies in the function gdi_CacheToSurface, where a destination rectangle is validated and clamped to a maximum value, but the actual memory copy uses the original, larger dimensions. This mismatch causes an out-of-bounds write on the heap, which can lead to client crashes or allow an attacker to execute arbitrary code.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including causing the FreeRDP client to crash or allowing a remote attacker to execute arbitrary code on the client machine. Since the exploit can be triggered remotely by a malicious RDP server without requiring any privileges and only needing the user to connect, it poses a high security risk. This could lead to unauthorized access, data compromise, or disruption of services on the affected client.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring FreeRDP client versions and network traffic involving RDP connections with RDPGFX enabled. Specifically, detection involves identifying FreeRDP clients running versions prior to 3.26.0, as these are vulnerable.
Since the vulnerability is triggered by crafted RDPGFX PDUs sent from a malicious RDP server, network detection can focus on inspecting RDP traffic for unusual or malformed RDPGFX packets.
There is no direct command provided in the resources to detect exploitation attempts, but you can check the FreeRDP client version with the following command:
- freerdp --version
For network monitoring, tools like Wireshark can be used to capture and analyze RDP traffic, filtering for RDPGFX PDUs to look for anomalies.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the FreeRDP client to version 3.26.0 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, disabling RDPGFX support in the FreeRDP client can prevent the vulnerability from being triggered, as the bug is only reachable when RDPGFX is enabled.
Additionally, avoid connecting to untrusted or unknown RDP servers, as the vulnerability requires connecting to a malicious server to be exploited.