PT-2026-25335 · Freerdp+1 · Freerdp+1

Wooseokdotkim

·

Published

2026-01-01

·

Updated

2026-04-25

·

CVE-2026-31806

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.24.0
Description FreeRDP is an implementation of the Remote Desktop Protocol. The gdi surface bits() function handles SURFACE BITS COMMAND messages from the RDP server. When using NSCodec, the bmp.width and bmp.height values are not validated against desktop dimensions. A malicious RDP server can send crafted bmp.width and bmp.height values exceeding the expected surface size. This can lead to a heap buffer overflow because these values are used during bitmap decoding and memory operations without proper bounds checking. An attacker controlling the pixel data can potentially overwrite adjacent heap memory.
Recommendations Versions prior to 3.24.0 should be updated to version 3.24.0 or later.

Exploit

Fix

DoS

Heap Based Buffer Overflow

Weakness Enumeration

CWE-122CWE-131

Related Identifiers

ALSA-2026:6340
ALSA-2026:6799
ALSA-2026:6918
BDU:2026-04141
CVE-2026-31806
GHSA-RRQM-46RJ-CMX2
MGASA-2026-0086
OESA-2026-2036
OESA-2026-2037
OESA-2026-2038
OESA-2026-2039
OESA-2026-2040
OPENSUSE-SU-2026:10408-1
OPENSUSE-SU-2026:10459-1
OPENSUSE-SU-2026:20632-1
OPENSUSE-SU-2026:20657-1
RHSA-2026:10076
RHSA-2026:10734
RHSA-2026:10735
RHSA-2026:10951
RHSA-2026:11323
RHSA-2026:6340
RHSA-2026:6727
RHSA-2026:6743
RHSA-2026:6799
RHSA-2026:6918
RHSA-2026:6958
RHSA-2026:9640
RHSA-2026:9641
SUSE-SU-2026:1129-1
SUSE-SU-2026:1160-1
SUSE-SU-2026:1164-1
SUSE-SU-2026:1165-1
SUSE-SU-2026:1398-1
SUSE-SU-2026:1640-1
SUSE-SU-2026:21436-1

Affected Products

Freerdp
Rocky Linux