HIGH 8.8

CVE-2026-44421: FreeRDP Heap Buffer Overflow in RDPGFX (CVSS 8.8)

FreeRDP, an open-source Remote Desktop Protocol client, contains a memory safety flaw that can be exploited by a malicious RDP server. When a FreeRDP client connects to an attacker-controlled server with graphics acceleration enabled, the attacker can send specially crafted network packets that trigger a heap buffer overflow during graphics operations. This memory corruption can crash the client or potentially allow remote code execution on the user's machine. The vulnerability requires user interaction (initiating an RDP connection) but does not require authentication, making it a practical attack vector against organizations that rely on remote desktop functionality.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122, CWE-787
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-30

NVD description (verbatim)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the gdi_CacheToSurface function within FreeRDP's graphics processing pipeline. The flaw stems from an inconsistency in bounds checking: the code validates a destination rectangle and clamps coordinates to UINT16_MAX, but subsequently uses the original unclamped cache entry dimensions for the actual memory copy operation. This mismatch allows an attacker to write beyond allocated heap boundaries when RDPGFX (Remote Desktop Protocol Graphics) extensions are active. The issue is classified as a heap-based buffer overflow (CWE-122 and CWE-787), enabling substantial out-of-bounds writes that can corrupt adjacent heap structures and potentially achieve code execution.

Business impact

Organizations using FreeRDP for remote access infrastructure face both operational and security risks. A compromised FreeRDP client session could expose sensitive data accessed or transmitted through the remote desktop, disrupt business continuity through client crashes, and potentially serve as a pivot point for lateral movement if the compromised endpoint holds privileged credentials. Open-source adoption of FreeRDP in enterprise tooling, containerized environments, and custom RDP solutions amplifies exposure. The requirement that RDPGFX be enabled limits but does not eliminate risk, as graphics acceleration is commonly enabled for user productivity.

Affected systems

FreeRDP versions prior to 3.26.0 are vulnerable. This includes all 3.x releases before 3.26.0 and earlier major versions. Affected systems include FreeRDP clients deployed across Linux, Windows, and Unix-like systems; applications embedding FreeRDP as a library; remote desktop gateways or proxies relying on FreeRDP for client-side rendering; and containerized deployments of FreeRDP-based services. Users running FreeRDP 3.26.0 or later are not affected. Verify your installed version against vendor release notes.

Exploitability

Exploitation requires a user to connect to an attacker-controlled or compromised RDP server with RDPGFX enabled. No pre-authentication or special privileges are needed on the attacker side, and the network is directly reachable from the internet in many deployments. The attack is deterministic—crafted RDPGFX PDUs reliably trigger the overflow—though achieving reliable code execution may require heap manipulation and platform-specific techniques. The user interaction barrier is minimal in scenarios where remote access is routine or where connection requests can be socially engineered. This vulnerability has not been observed in active exploitation campaigns to date, but the technical requirements for weaponization are straightforward.

Remediation

Upgrade FreeRDP to version 3.26.0 or later. Patch installation is the definitive mitigation. Organizations unable to patch immediately should disable RDPGFX if operationally feasible, restrict RDP server connections to trusted internal systems, and enforce network segmentation to limit exposure. Monitor for unexpected client crashes or suspicious process behavior on systems running FreeRDP. Audit which applications and services depend on FreeRDP to prioritize patching efforts.

Patch guidance

Consult the official FreeRDP project releases and your distribution's package repository for version 3.26.0 and later. Verify patch authenticity through official FreeRDP channels (GitHub releases, signed git tags, or vendor security advisories). For embedded or custom deployments, rebuild and redeploy with the patched FreeRDP library. Test patched versions in a non-production environment first to confirm compatibility with existing workflows. Organizations maintaining custom builds should review the FreeRDP project's commit history and security patches between your current version and 3.26.0.

Detection guidance

Monitor system logs for FreeRDP client crashes, segmentation faults, or abnormal process termination during or shortly after RDP connections. Network detection is challenging without traffic inspection, but anomalous RDPGFX PDU sizes or malformed packets may be observable on monitored RDP channels. Host-based memory protection mechanisms (e.g., AddressSanitizer if compiled in, or OS-level heap guards) can catch exploitation attempts. Review process dumps or core files from crashed FreeRDP clients for evidence of heap corruption. Track FreeRDP version inventory across your environment to identify unpatched deployments.

Why prioritize this

This vulnerability merits urgent patching due to its CVSS 3.1 score of 8.8 (HIGH), direct path from network-unauthenticated attacker to user system, potential for code execution, and straightforward trigger mechanism. The user-interaction requirement and RDPGFX dependency moderate but do not eliminate risk in environments where remote desktop use is prevalent. Prioritize patching for FreeRDP instances exposed to untrusted networks, followed by internal or air-gapped deployments.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects high severity: a network-reachable, unauthenticated attack vector (AV:N, PR:N) with low attack complexity (AC:L) that impacts confidentiality, integrity, and availability (C:H, I:H, A:H). The UI:R requirement (user interaction required to establish an RDP connection) prevents a perfect 9.8 score but remains a practical constraint in many remote access scenarios. The score does not account for real-world factors like RDPGFX enablement prevalence or active exploitation, but reflects the severity of successful compromise.

Frequently asked questions

Is my FreeRDP installation vulnerable?

Check your FreeRDP version: run `freerdp-version` or equivalent for your platform. If you are running any version prior to 3.26.0, your installation is vulnerable. If RDPGFX is disabled in your configuration or if you do not use FreeRDP, risk is reduced but you should still plan to upgrade when feasible.

Can this be exploited without the user connecting to a malicious server?

No. The attacker must control or compromise an RDP server to send the crafted RDPGFX packets. An attacker cannot exploit a FreeRDP client by simply scanning the network or sending unsolicited traffic. However, users can be socially engineered to connect to attacker-controlled servers, or legitimate internal servers may be compromised.

Does disabling RDPGFX fully mitigate the risk?

Disabling RDPGFX eliminates the specific attack vector described in this CVE. However, graphics-related bugs may emerge in other code paths, and disabling RDPGFX degrades user experience and remote desktop responsiveness. Patching to 3.26.0 is the proper long-term fix.

What should I do if I cannot patch immediately?

Implement network segmentation to restrict RDP connections to trusted internal servers, disable RDPGFX if operationally acceptable, and consider disabling or monitoring RDP services that are not actively needed. Monitor for crashes and maintain an inventory of FreeRDP instances to track patch status. Patch as soon as your change-management process allows.

This analysis is based on the CVE record and publicly available information as of the publication date. Actual exploitability, patch availability, and remediation timelines may vary by platform and vendor. Organizations should verify patch versions and compatibility with their specific FreeRDP deployments against official vendor advisories. This guidance is not a substitute for professional security assessment or incident response; organizations should consult their security teams and vendors for deployment-specific recommendations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).