PatchSiren

FreeRDP CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM FreeRDP CVE published 2026-07-10

CVE-2026-57158

CVE-2026-57158 is a MEDIUM severity vulnerability in FreeRDP clients using the GFX pipeline, with an incomplete fix for CVE-2026-23530. A malicious RDP server can send a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload that reads one byte past the input buffer. This issue is fixed in version 3.28.0. The vulnerability exists in the planar_decompress_plane_rle_only function in libfreerdp/codec/planar.c [truncated]

MEDIUM FreeRDP CVE published 2026-07-10

CVE-2026-57157

FreeRDP server implementations with the MS-RDPECAM camera device enumerator channel enabled are vulnerable to a heap read issue. This issue allows a malicious RDP client to trigger a 1- to 2-byte out-of-bounds heap read. The vulnerability is fixed in version 3.28.0. Users of FreeRDP server implementations with the MS-RDPECAM camera device enumerator channel enabled should review and apply the provided pat [truncated]

HIGH FreeRDP CVE published 2026-07-10

CVE-2026-57156

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0 on 32-bit builds, FreeRDP clients contain an integer overflow in update_read_delta_points in libfreerdp/core/orders.c when multiplying an attacker-controlled point count by sizeof(DELTA_POINT), allowing a malicious RDP peer to allocate an undersized heap buffer and then write beyond it during initialization. This issue is fix [truncated]

HIGH FreeRDP CVE published 2026-07-10

CVE-2026-55827

CVE-2026-55827 is a heap out-of-bounds write vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. This issue allows a malicious RDP server to trigger a heap out-of-bounds write with attacker-controlled offset and content when FreeRDP clients are launched with the non-default /cache:codec:rfx option. Affected product deployments should be identified, and owners assigned for follo [truncated]

HIGH FreeRDP CVE published 2026-07-08

CVE-2026-56297

CVE-2026-56297 is a high-severity use-after-free vulnerability in FreeRDP before 3.22.0. A malicious RDP server can trigger a race condition by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, causing heap-use-after-free in the drdynvc client thread and potentially enabling remote code execution or denial of service. The vulnerability exists in dvcman_channel_close and dvcman_call_on_receive due [truncated]

HIGH FreeRDP CVE published 2026-05-29

CVE-2026-45700

FreeRDP versions prior to 3.26.0 contain an out-of-bounds heap write vulnerability in the planar bitmap decoder. The flaw exists in `freerdp_bitmap_decompress_planar()` within `libfreerdp/codec/planar.c`, where the function validates the X destination coordinate `nXDst` against the caller-provided destination stride (`nDstStep`) even when writing to an internal temporary buffer (`pTempData`). An attacker [truncated]

HIGH FreeRDP CVE published 2026-05-29

CVE-2026-44422

## Summary FreeRDP versions prior to 3.26.0 contain a heap use-after-free/double-free vulnerability in the RDPEAR NDR parser. A malicious RDP server can trigger memory corruption by reusing the same non-null NDR pointer reference ID across multiple logical pointer fields, causing the parser to assign the same heap object to multiple output fields. The generic destructor then independently frees both point [truncated]

HIGH FreeRDP CVE published 2026-05-29

CVE-2026-44421

A heap-buffer-overflow vulnerability exists in FreeRDP client versions prior to 3.26.0. The flaw resides in the `gdi_CacheToSurface` function, where a destination rectangle is validated after being clamped to UINT16_MAX, but the subsequent copy operation uses the original `cacheEntry->width/height` values. This mismatch allows a malicious RDP server to trigger an out-of-bounds heap write when the client h [truncated]

HIGH FreeRDP CVE published 2026-05-29

CVE-2026-44420

A heap-buffer-overflow vulnerability exists in FreeRDP's server-side clipboard (cliprdr) channel prior to version 3.26.0. A malicious RDP client can trigger this flaw by sending a CB_CLIP_CAPS PDU with a malformed capabilitySetLength value that is too small. This memory corruption can crash the server process, resulting in remote denial of service, and may be exploitable for code execution. The vulnerabil [truncated]

HIGH FreeRDP CVE published 2026-05-26

CVE-2026-40033

A heap-buffer-overflow vulnerability exists in FreeRDP versions prior to 3.26.0 within the gdi_CacheToSurface function. The flaw stems from a validation logic error: rectangle coordinates are clamped to UINT16_MAX during bounds checking, but subsequent copy operations use unclamped cache entry dimensions. This discrepancy allows a malicious RDP server to trigger out-of-bounds heap writes, potentially lead [truncated]

HIGH FreeRDP CVE published 2026-03-30

CVE-2026-33984

CVE-2026-33984 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability exists in the resize_vbar_entry() function in libfreerdp/codec/clear.c. Prior to version 3.24.2, an attacker can exploit this vulnerability by providing malicious pixel data, leading to a heap buffer overflow. This issue has been patched in version 3.24.2. Users should [truncated]

CRITICAL FreeRDP CVE published 2026-03-13

CVE-2026-31806

CVE-2026-31806 is a critical heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability exists in the gdi_surface_bits() function, which processes SURFACE_BITS_COMMAND messages sent by the RDP server. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size, leading to a heap buffer overflow. [truncated]

HIGH FreeRDP CVE published 2026-02-25

CVE-2026-26965

CVE-2026-26965 is a heap out-of-bounds write vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability allows a remote, unauthenticated attacker to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. This can lead to control-flow–relevant corruption, including the overwriting of a function pointer. The [truncated]

HIGH FreeRDP CVE published 2026-02-25

CVE-2026-26955

CVE-2026-26955 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. A malicious RDP server can trigger the vulnerability by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. This allows attacker-controlled data to reach image copy routines that write into surface data without bounds enforcement. The vulnerability [truncated]

HIGH FreeRDP CVE published 2026-02-09

CVE-2026-24678

CVE-2026-24678 is a high-severity vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability, fixed in version 3.22.0, is a use-after-free issue in the ecam_channel_write function. This occurs when a capture thread sends sample responses using a freed channel callback after a device channel close. The vulnerability has a CVSS score of 8.7 and is considered HIGH sever [truncated]

HIGH FreeRDP CVE published 2026-01-19

CVE-2026-23884

CVE-2026-23884 is a high-severity vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability, caused by offscreen bitmap deletion leaving `gdi->drawing` pointing to freed memory, can lead to a use-after-free (UAF) condition when related update packets arrive. This can cause a crash (DoS) and potentially lead to heap corruption with code-execution risk, depending on a [truncated]

HIGH FreeRDP CVE published 2026-01-19

CVE-2026-23534

CVE-2026-23534 is a high-severity vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. A client-side heap buffer overflow occurs when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allo [truncated]

HIGH FreeRDP CVE published 2026-01-19

CVE-2026-23532

CVE-2026-23532 is a high-severity vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. A client-side heap buffer overflow occurs due to a mismatch between destination rectangle clamping and the actual copy size in the FreeRDP client’s `gdi_SurfaceToSurface` path. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruptio [truncated]

HIGH FreeRDP CVE published 2026-01-19

CVE-2026-23531

CVE-2026-23531 is a high-severity vulnerability in FreeRDP's ClearCodec. Prior to version 3.21.0, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle. This allows an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential [truncated]

MEDIUM FreeRDP CVE published 2026-01-14

CVE-2026-22859

CVE-2026-22859 is a medium-severity vulnerability in the FreeRDP URBDRC client. The vulnerability arises from a lack of proper bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values, which are then used as indices in libusb_udev_complete_msconfig_setup. This can lead to an out-of-bounds read. The vulnerability has been fixed in FreeRDP version 3.20.1. Users of FreeRDP should update to this v [truncated]

MEDIUM FreeRDP CVE published 2026-01-14

CVE-2026-22858

CVE-2026-22858 is a global-buffer-overflow vulnerability in FreeRDP's Base64 decoding path. The issue arises from implementation-defined char signedness, particularly on Arm/AArch64 builds where plain char is treated as unsigned. This leads to a potential out-of-bounds access when non-ASCII bytes are used as an index into a global lookup table. The vulnerability is fixed in FreeRDP version 3.20.1. Users s [truncated]

MEDIUM FreeRDP CVE published 2026-01-14

CVE-2026-22853

CVE-2026-22853 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability exists in RDPEAR's NDR array reader, which does not perform bounds checking on the on-wire element count. This can cause the reader to write past the heap buffer allocated from hints, leading to a heap buffer overflow. The vulnerability is fixed in version 3.20.1. User [truncated]