CVE-2026-23531
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
In FreeRDP prior to version 3.21.0, in ClearCodec, the `clear_decompress` function calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk.
Risk Assessment
The organization is exposed to Denial of Service attacks and potential remote code execution by a malicious RDP server, which could lead to client machine compromise and data leakage.
Recommendation
Immediately upgrade FreeRDP to version 3.21.0 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

