CVE-2026-40033

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.26.0

Description A heap-buffer-overflow exists in the gdi CacheToSurface() function. This occurs because rectangle validation clamps coordinates to UINT16 MAX but copy operations use unclamped cache entry dimensions. This allows a malicious RDP server to trigger large out-of-bounds writes to heap memory, which could lead to a client crash or remote code execution.

Recommendations Update to version 3.26.0 or later.