CVE-2026-44421

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.26.0

Description A heap-buffer-overflow write can be triggered in the client when connecting to a malicious RDP server that sends crafted RDPGFX PDUs (Protocol Data Units). The issue occurs in the gdi CacheToSurface() function, which validates a destination rectangle clamped to UINT16 MAX but executes the copy operation using the original cacheEntry->width and cacheEntry->height variables. This results in a large out-of-bounds heap write that may lead to client crashes or remote code execution. This issue is only reachable when the client has RDPGFX enabled.

Recommendations Update to version 3.26.0. As a temporary workaround, disable RDPGFX to minimize the risk of exploitation.