CVE-2026-40033 FreeRDP CVE debrief

Who should care

Organizations using FreeRDP clients to connect to RDP servers, particularly those in environments where RDP server trust cannot be guaranteed. Security teams responsible for endpoint protection and remote access infrastructure. Developers integrating FreeRDP libraries into custom applications.

Technical summary

The vulnerability resides in the gdi_CacheToSurface function where rectangle validation clamps coordinates to UINT16_MAX but fails to apply the same clamping to cache entry dimensions used in copy operations. This allows a malicious RDP server to supply crafted cache entries with dimensions exceeding the clamped bounds, resulting in out-of-bounds heap writes during surface blitting operations. The CVSS 4.0 score of 8.7 reflects high impacts across confidentiality, integrity, and availability with network accessibility and low attack complexity.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FreeRDP to version 3.26.0 or later to remediate the heap-buffer-overflow vulnerability
• Review and restrict RDP server connections to trusted sources only, as the vulnerability requires a malicious server to exploit
• Monitor for anomalous FreeRDP client crashes or memory corruption indicators that may signal exploitation attempts
• Apply principle of least privilege for RDP client processes to limit impact of potential code execution
• Consider network segmentation to isolate RDP client systems from untrusted networks until patching is complete

Evidence notes

Vulnerability description and technical details sourced from NVD entry and Vulncheck advisory. Patch commit and GitHub Security Advisory confirm fix availability. CVSS 4.0 vector indicates network attack vector with low attack complexity and high impact to confidentiality, integrity, and availability.

Official resources