CVE Catalog

CVE-2026-44421

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile - higher than 34% of all known CVEs

Summary

In FreeRDP before version 3.26.0, a heap-buffer-overflow write vulnerability exists. A malicious RDP server can send crafted RDPGFX PDUs, causing memory corruption and potential code execution.

Risk Assessment

An attacker-controlled RDP server can crash the FreeRDP client or execute arbitrary code, posing a serious risk to data confidentiality and system integrity.

Recommendation

Upgrade FreeRDP to version 3.26.0 or later immediately. If upgrading is not possible, disable RDPGFX support in the client configuration.

Original NVD description (English source)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS