FreeRDP up to 3.22.x gdi_SurfaceCommand_ClearCodec out-of-bounds write

Summaryinfo

A vulnerability described as critical has been identified in FreeRDP up to 3.22.x. Affected by this vulnerability is the function gdi_SurfaceCommand_ClearCodec. Executing a manipulation can lead to out-of-bounds write. This vulnerability is tracked as CVE-2026-26955. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as critical was found in FreeRDP up to 3.22.x. This vulnerability affects the function gdi_SurfaceCommand_ClearCodec. The manipulation with an unknown input leads to a out-of-bounds write vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.

The advisory is available at github.com. This vulnerability was named CVE-2026-26955 since 02/16/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 299994 (Linux Distros Unpatched Vulnerability : CVE-2026-26955), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 3.23.0 eliminates this vulnerability. Applying the patch 7d8fdce2d0ef337cb86cb37fc0c436c905e04d77 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (299994) and CERT Bund (WID-SEC-2026-0514). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Affected

• Amazon Linux 2
• Red Hat Enterprise Linux
• Fedora Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux
• Open Source FreeRDP

Productinfo

Type

• Remote Access Software

Name

• FreeRDP

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5
• 3.6
• 3.7
• 3.8
• 3.9
• 3.10
• 3.11
• 3.12
• 3.13
• 3.14
• 3.15
• 3.16
• 3.17
• 3.18
• 3.19
• 3.20
• 3.21
• 3.22

License

• open-source

Website

• Product: https://github.com/FreeRDP/FreeRDP/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion