CVE-2026-26955 in FreeRDP
Summary
by MITRE • 02/25/2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2026-26955 represents a critical heap buffer overflow in FreeRDP client implementations that affects versions prior to 3.23.0. This issue specifically targets the GDI surface pipeline functionality within FreeRDP clients such as xfreerdp, creating a path for remote attackers to execute arbitrary code through carefully crafted RDPGFX commands. The vulnerability stems from insufficient input validation within the graphics processing pipeline, where malicious RDP servers can manipulate surface command parameters to trigger memory corruption. The flaw exists in the `gdi_SurfaceCommand_ClearCodec()` function which fails to perform proper bounds checking against the destination surface dimensions before processing graphic commands.
The technical implementation of this vulnerability involves the absence of `is_within_surface()` validation within the graphics command handler, allowing attacker-controlled coordinates to bypass safety checks. When an RDP server sends a ClearCodec surface command with out-of-bounds destination rectangle parameters, specifically manipulating `cmd->left` and `cmd->top` values along with subcodec rectangle offsets, these values directly influence image copy routines that write into `surface->data` memory region. The lack of bounds enforcement enables an out-of-bounds write operation that corrupts adjacent memory structures, particularly targeting the `gdiGfxSurface` struct's `codecs*` pointer. This memory corruption is sufficient to hijack execution flow through an indirect function pointer call, specifically the `NSC_CONTEXT.decode` function pointer located at `nsc.c:500`, demonstrating full instruction pointer control in exploitability testing.
The operational impact of this vulnerability extends beyond simple memory corruption to enable remote code execution capabilities. Attackers can leverage this flaw to gain complete control over affected FreeRDP client systems, potentially leading to unauthorized access to remote desktop sessions and subsequent network compromise. The vulnerability's exploitability is enhanced by the fact that it requires no authentication or prior access to the target system, making it particularly dangerous in environments where RDP connections are prevalent. The attack vector involves a malicious RDP server establishing a connection to a vulnerable client system, sending the crafted ClearCodec command, and then executing the subsequent codec command to achieve code execution. This vulnerability directly maps to CWE-121 heap-based buffer overflow and aligns with ATT&CK techniques involving remote code execution through protocol manipulation and memory corruption.
Organizations using FreeRDP clients must urgently upgrade to version 3.23.0 or later to mitigate this vulnerability, as the patch addresses the core issue by implementing proper bounds checking within the graphics command processing pipeline. The fix ensures that `is_within_surface()` validation is performed before any graphic command processing occurs, preventing out-of-bounds memory writes that could corrupt adjacent memory structures. Additionally, system administrators should consider implementing network segmentation and monitoring for suspicious RDP traffic patterns, particularly when dealing with legacy systems that may not have received the security update. The vulnerability demonstrates the critical importance of input validation in graphics processing components and highlights the need for comprehensive security testing of protocol implementations that handle untrusted data from remote sources.