CVE-2026-44421 FreeRDP CVE debrief

Who should care

Organizations using FreeRDP clients for remote desktop connectivity, particularly those connecting to untrusted or externally-facing RDP servers. Security teams monitoring client-side RDP attack surfaces. Infrastructure administrators managing Linux-based thin clients or remote access workstations using FreeRDP.

Technical summary

The vulnerability is a heap-based buffer overflow (CWE-122) in FreeRDP's graphics device interface. The `gdi_CacheToSurface` function performs insufficient bounds checking: it clamps the destination rectangle to UINT16_MAX for validation purposes, but then uses the unclamped `cacheEntry->width` and `cacheEntry->height` values during the actual memory copy operation. This allows a malicious RDP server to send crafted RDPGFX PDUs that cause the client to write beyond allocated heap memory. The attack requires the client to have RDPGFX (Remote Desktop Protocol Graphics Extension) enabled, which is commonly used for enhanced graphics performance in RDP sessions. Successful exploitation may result in denial of service through client crashes or potentially arbitrary code execution within the client process context.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FreeRDP client to version 3.26.0 or later
• Disable RDPGFX on FreeRDP clients if upgrade is not immediately feasible
• Restrict RDP client connections to trusted, authenticated servers only
• Monitor for anomalous RDPGFX PDU patterns in network traffic
• Apply principle of least privilege for RDP client processes

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-p6r2-4hgm-m6ff. CVSS 3.1 score of 8.8 (HIGH) assigned. CWE-122 (Heap-based Buffer Overflow) identified. Fix version 3.26.0 explicitly stated in advisory. Attack vector requires network access to a malicious RDP server with RDPGFX enabled on the client.

Official resources