FreeRDP
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in FreeRDP.
By the Year
In 2026 there have been 61 vulnerabilities in FreeRDP with an average score of 6.0 out of ten. Last year, in 2025 Freerdp had 1 security vulnerability published. That is, 60 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 61 | 5.99 |
| 2025 | 1 | 0.00 |
| 2024 | 12 | 8.63 |
| 2023 | 17 | 6.67 |
| 2022 | 11 | 5.22 |
| 2021 | 2 | 7.05 |
| 2020 | 40 | 4.47 |
| 2019 | 2 | 0.00 |
| 2018 | 13 | 7.82 |
It may take a day or so for new Freerdp vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent FreeRDP Security Vulnerabilities
FreeRDP Kerberos Double-Free Crash (prior 3.24.2 fixed)
CVE-2026-33995
5.3 - Medium
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a double-free vulnerability in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() (WinPR, winpr/libwinpr/sspi/Kerberos/kerberos.c) can cause a crash in any FreeRDP clients on systems where Kerberos and/or Kerberos U2U is configured (Samba AD member, or krb5 for NFS). The crash is triggered during NLA connection teardown and requires a failed authentication attempt. This issue has been patched in version 3.24.2.
Double-free
FreeRDP persistent cache bmpSize inflation on realloc failure before 3.24.2
CVE-2026-33987
7.1 - High
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been patched in version 3.24.2.
Heap-based Buffer Overflow
FreeRDP <3.24.2 h264 Buffer Use-After-Free: premature width/height update
CVE-2026-33986
7.5 - High
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2.
Heap-based Buffer Overflow
FreeRDP <3.24.2: Adjacent Heap Pixel Leakage (Fixed in 3.24.2)
CVE-2026-33985
5.9 - Medium
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.
Out-of-bounds Read
FreeRDP <3.24.2 Heap Buffer Overflow in resize_vbar_entry()
CVE-2026-33984
7.5 - High
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
Heap-based Buffer Overflow
FreeRDP 3.24.2 DoS: progressive_decompress_tile_upgrade() shift bug
CVE-2026-33983
6.5 - Medium
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefined behavior and an approximately 80 billion iteration loop (CPU DoS). This issue has been patched in version 3.24.2.
Integer Overflow or Wraparound
FreeRDP Heap-Buffer-Overflow Before alloc (pre-3.24.2)
CVE-2026-33982
7.1 - High
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_recalloc(). This issue has been patched in version 3.24.2.
Out-of-bounds Read
FreeRDP <3.24.2: Pre-auth DOS via unvalidated auth_length in RPC-over-HTTP
CVE-2026-33952
6.5 - Medium
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash with SIGABRT. This is a pre-authentication denial of service affecting all FreeRDP clients using RPC-over-HTTP gateway transport. The assertion is active in default release builds (WITH_VERBOSE_WINPR_ASSERT=ON). This issue has been patched in version 3.24.2.
assertion failure
FreeRDP Audio Crash via Invalid IMA ADPCM Step Index < 3.24.2
CVE-2026-33977
- March 30, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort via SIGABRT. This affects any FreeRDP client that has audio redirection (RDPSND) enabled, which is the default configuration. This issue has been patched in version 3.24.2.
assertion failure
FreeRDP <=3.23.0 OOB Read in freerdp_bitmap_decompress_planar
CVE-2026-31897
0 - Low
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.
Out-of-bounds Read
FreeRDP <3.24.0 GDI Surface heap overflow via bogus SURFACE_BITS
CVE-2026-31806
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
Heap-based Buffer Overflow
OOB Read in FreeRDP MS-ADPCM/IMA-ADPCM Decoders before 3.24.0
CVE-2026-31885
6.5 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
Out-of-bounds Read
FreeRDP <3.24.0 Division by Zero in ADPCM Decoders Causes Crash
CVE-2026-31884
6.5 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
Divide By Zero
FreeRDP <3.24 Heap Overflow via IMA/MS-ADPCM Audio Decoders
CVE-2026-31883
6.5 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
Integer underflow
FreeRDP <3.24.0 Integer Underflow in update_read_cache_bitmap_order
CVE-2026-29776
3.1 - Low
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0.
Integer Overflow or Wraparound
FreeRDP bitmap_cache OOB read/write before 3.24.0
CVE-2026-29775
5.3 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
Memory Corruption
FreeRDP <3.24.0 Client-Side Heap Overflow in AVC420 YUV-to-RGB Path
CVE-2026-29774
5.3 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.
Memory Corruption
FreeRDP DoS via endless loop in Stream_EnsureCapacity (before 3.23.0)
CVE-2026-27951
5.3 - Medium
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.
Integer Overflow or Wraparound
FreeRDP SDL2 Heap UAF until v3.23.0 (incomplete fix in SDL3)
CVE-2026-27950
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.
Dangling pointer
FreeRDP <3.23.0: useafterfree in rail_window_free (HashTable_Free)
CVE-2026-26986
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
Dangling pointer
FreeRDP RLE planar decode OOB write before 3.23.0
CVE-2026-26965
8.8 - High
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data control-flowrelevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
Memory Corruption
FreeRDP <3.23.0 GDI Heap OOB via RDPGFX ClearCodec
CVE-2026-26955
8.8 - High
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Memory Corruption
FreeRDP <3.23.0 Crash via smartcard_unpack Bounds Check (WINPR_ASSERT)
CVE-2026-27015
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.
assertion failure
FreeRDP Buffer Overread in freerdp_image_copy_from_icon_data() <3.23
CVE-2026-26271
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.
Buffer Over-read
FreeRDP <3.23 UAF via xf_clipboard_format_equal & X11 thread
CVE-2026-25997
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP <3.23: Heap Use-After-Free in xf_cliprdr via XChangeProperty
CVE-2026-25959
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP before 3.23.0: XImage data reuse via freed RDPGFX surface
CVE-2026-25955
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP v<3.23.0 RAIL Unprotected xfAppWindow Pointer Deref
CVE-2026-25954
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP <3.23.0 UAF via RDPGFX DVC thread, CVE-2026-25953
CVE-2026-25953
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP 3.x RAIL Channel Nullptr Deref of Freed wf Window before v3.23
CVE-2026-25952
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP <3.23.0 OOB Read in xf_rail_server_execute_result
CVE-2026-25942
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 06) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
Out-of-bounds Read
FreeRDP rdpGFX OOB Read <=2.11.8/<=3.23.0 via WIRE_TO_SURFACE_2
CVE-2026-25941
4.3 - Medium
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.
Improper Input Validation
FreeRDP <3.22.0 Use-After-Free in RDPSND Async Playback
CVE-2026-24684
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP <3.22.0 Use-After-Free via unsynchronized channel_callback
CVE-2026-24683
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP BFA in audin_server_recv_formats pre 3.22.0
CVE-2026-24682
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, audin_server_recv_formats frees an incorrect number of audio formats on parse failure (i + i), leading to out-of-bounds access in audio_formats_free. This vulnerability is fixed in 3.22.0.
Heap-based Buffer Overflow
FreeRDP <3.22.0 UAF via async bulk transfer completions
CVE-2026-24681
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP SDL Pointer Double-Free in SDL_Pointer_Free before 3.22.0
CVE-2026-24680
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, sdl_Pointer_New frees data on failure, then pointer_free calls sdl_Pointer_Free and frees it again, triggering ASan UAF. This vulnerability is fixed in 3.22.0.
Dangling pointer
Out-of-bounds read in URBDRC libusb_udev_select_interface (FreeRDP < 3.22.0)
CVE-2026-24679
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
Heap-based Buffer Overflow
FreeRDP <=3.21 UAF via Ecam_Channel_Write (fixed 3.22.0)
CVE-2026-24678
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP <=3.21.0 ecam_encoder_compress_h264 OOB Read in sws_scale
CVE-2026-24677
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not validate the source buffer size, leading to an out-of-bounds read in sws_scale. This vulnerability is fixed in 3.22.0.
Dangling pointer
Use After Free in AUDIN Renegotiation (FreeRDP < 3.22.0)
CVE-2026-24676
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP <3.22.0 UAF in libusb_udev_select_interface
CVE-2026-24675
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP UAF in video_timer before 3.22.0 Release
CVE-2026-24491
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP rdp_write_logon_info_v2 Null Pointer Deref before 3.22
CVE-2026-23948
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
NULL Pointer Dereference
FreeRDP <3.21.0 UAF via Offscreen Bitmap deletion
CVE-2026-23884
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a clientside use after free, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Dangling pointer
FreeRDP doublefree in xf_Pointer_New before 3.21.0 (UAF DoS)
CVE-2026-23883
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a clientside use after free, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Dangling pointer
FreeRDP FastGlyph parsing buffer overflow fixed in 3.21.0
CVE-2026-23732
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a clientside global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0 client heap overflow in ClearCodec decode path DoS/code exec
CVE-2026-23534
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0 Client Heap Buffer Overflow in RDPGFX ClearCodec
CVE-2026-23533
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0: Client-side Heap Buffer Overflow in gdi_SurfaceToSurface
CVE-2026-23532
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP clients `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
