CVE-2026-55827
Received Received - Intake

RemoteFX Heap Out-of-Bounds Write in FreeRDP

Vulnerability report for CVE-2026-55827, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.27.1, FreeRDP clients launched with the non-default /cache:codec:rfx option pass desktop stride and height to RemoteFX decoding for Cache Bitmap V3 data while allocating bitmap->data only for the smaller DstWidth and DstHeight in gdi_Bitmap_Decompress, allowing a malicious RDP server to trigger a heap out-of-bounds write with attacker-controlled offset and content. This issue is fixed in version 3.27.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.27.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in FreeRDP (CVE-2026-55827) allows a malicious RDP server to execute arbitrary code on a client by exploiting a heap out-of-bounds write during bitmap decoding. This can lead to unauthorized access or control over the affected system.

Such unauthorized access or compromise of systems handling sensitive data could potentially violate compliance requirements under standards like GDPR or HIPAA, which mandate protection of personal and health information against unauthorized access and breaches.

However, the vulnerability requires a non-default client flag (/cache:codec:rfx) and post-authentication exploitation, which may limit the attack surface depending on deployment and configuration.

Organizations using vulnerable versions of FreeRDP should apply the fix in version 3.27.1 to mitigate risks and maintain compliance with security requirements of such regulations.

Executive Summary

CVE-2026-55827 is a heap out-of-bounds write vulnerability in FreeRDP's RemoteFX Cache Bitmap V3 decoding functionality. The issue arises because the client allocates memory for bitmap data based on smaller bitmap dimensions but then uses the desktop surface's larger stride and height values when decoding, causing writes beyond the allocated buffer.

A malicious RDP server can exploit this by sending specially crafted Cache Bitmap V3 drawing orders with attacker-controlled dimensions, leading to memory corruption. This can result in arbitrary code execution by overwriting function pointers, as demonstrated by controlling the instruction pointer in the client.

The vulnerability requires the non-default client flag /cache:codec:rfx and occurs post-authentication. It affects FreeRDP versions up to 3.27.0 and was fixed in version 3.27.1 by correcting buffer allocation and adding input validation.

Impact Analysis

This vulnerability can have serious impacts including arbitrary code execution on the client machine connecting to a malicious RDP server. An attacker can exploit the heap out-of-bounds write to overwrite critical memory structures such as function pointers, potentially gaining control over the client's system.

Even if arbitrary code execution is not achieved, the vulnerability can cause denial-of-service conditions by crashing the client due to memory corruption.

The attack requires the client to use the non-default /cache:codec:rfx flag and to connect to a malicious or compromised RDP server, making it a post-authentication threat vector.

Detection Guidance

This vulnerability is triggered when a FreeRDP client is launched with the non-default /cache:codec:rfx option and connects to a malicious RDP server that sends specially crafted Cache Bitmap V3 secondary drawing orders. Detection involves monitoring FreeRDP client usage with this specific option and inspecting RDP traffic for unusual Cache Bitmap V3 orders with codecID=0x03 (REMOTEFX) and abnormal DstWidth/DstHeight values.

Since the vulnerability is related to heap out-of-bounds writes during bitmap decompression, direct detection on the system might involve monitoring FreeRDP client crashes or abnormal behavior when connecting to RDP servers.

No explicit detection commands or network signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade FreeRDP clients to version 3.27.1 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, avoid using the non-default /cache:codec:rfx client option, as this option triggers the vulnerable code path.

Additionally, restrict connections to trusted RDP servers to reduce exposure to malicious servers attempting to exploit this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55827. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart