PT-2026-22017 · Freerdp+3 · Freerdp+3

Ppcavalcante

·

Published

2026-01-01

·

Updated

2026-04-25

·

CVE-2026-26955

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.23.0
Description A malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline, such as xfreerdp. This occurs when sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The gdi SurfaceCommand ClearCodec() handler lacks validation of the command rectangle against the destination surface dimensions. This allows attacker-controlled cmd->left and cmd->top values to reach image copy routines that write into surface->data without bounds enforcement. Corruption of the codecs* pointer leads to an indirect function pointer call at NSC CONTEXT.decode in nsc.c:500, potentially resulting in full instruction pointer control.
Recommendations Upgrade to version 3.23.0 to receive a patch.

Exploit

Fix

Memory Corruption

Weakness Enumeration

CWE-787

Related Identifiers

ALSA-2026:5939
ALSA-2026:6004
ALSA-2026:6005
BDU:2026-04152
CVE-2026-26955
GHSA-MR6W-CH7C-MQQJ
MGASA-2026-0086
OESA-2026-2036
OESA-2026-2037
OESA-2026-2038
OESA-2026-2039
OESA-2026-2040
OPENSUSE-SU-2026:10408-1
OPENSUSE-SU-2026:10459-1
OPENSUSE-SU-2026:20632-1
OPENSUSE-SU-2026:20657-1
RHSA-2026:5936
RHSA-2026:5939
RHSA-2026:6004
RHSA-2026:6005
RHSA-2026:6384
RHSA-2026:6385
RHSA-2026:6395
RHSA-2026:6396
RHSA-2026:6616
RHSA-2026:6665
RHSA-2026:6712
RHSA-2026:6764
RHSA-2026:7292
SUSE-SU-2026:1129-1
SUSE-SU-2026:1160-1
SUSE-SU-2026:1164-1
SUSE-SU-2026:1165-1
SUSE-SU-2026:1398-1
SUSE-SU-2026:21436-1
USN-8105-1

Affected Products

Freerdp
Linuxmint
Rocky Linux
Ubuntu