FreeRDP
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in FreeRDP.
By the Year
In 2026 there have been 52 vulnerabilities in FreeRDP with an average score of 5.5 out of ten. Last year, in 2025 Freerdp had 1 security vulnerability published. That is, 51 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 52 | 5.49 |
| 2025 | 1 | 0.00 |
| 2024 | 12 | 8.63 |
| 2023 | 17 | 6.67 |
| 2022 | 11 | 5.22 |
| 2021 | 2 | 7.05 |
| 2020 | 40 | 4.47 |
| 2019 | 2 | 0.00 |
| 2018 | 13 | 7.82 |
It may take a day or so for new Freerdp vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent FreeRDP Security Vulnerabilities
FreeRDP <=3.23.0 OOB Read in freerdp_bitmap_decompress_planar
CVE-2026-31897
0 - Low
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.
Out-of-bounds Read
FreeRDP <3.24.0 GDI Surface heap overflow via bogus SURFACE_BITS
CVE-2026-31806
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
Heap-based Buffer Overflow
OOB Read in FreeRDP MS-ADPCM/IMA-ADPCM Decoders before 3.24.0
CVE-2026-31885
6.5 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
Out-of-bounds Read
FreeRDP <3.24.0 Division by Zero in ADPCM Decoders Causes Crash
CVE-2026-31884
6.5 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
Divide By Zero
FreeRDP <3.24 Heap Overflow via IMA/MS-ADPCM Audio Decoders
CVE-2026-31883
6.5 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
Integer underflow
FreeRDP <3.24.0 Integer Underflow in update_read_cache_bitmap_order
CVE-2026-29776
3.1 - Low
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0.
Integer Overflow or Wraparound
FreeRDP bitmap_cache OOB read/write before 3.24.0
CVE-2026-29775
5.3 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
Memory Corruption
FreeRDP <3.24.0 Client-Side Heap Overflow in AVC420 YUV-to-RGB Path
CVE-2026-29774
5.3 - Medium
- March 13, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.
Memory Corruption
FreeRDP DoS via endless loop in Stream_EnsureCapacity (before 3.23.0)
CVE-2026-27951
5.3 - Medium
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.
Integer Overflow or Wraparound
FreeRDP SDL2 Heap UAF until v3.23.0 (incomplete fix in SDL3)
CVE-2026-27950
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.
Dangling pointer
FreeRDP <3.23.0: useafterfree in rail_window_free (HashTable_Free)
CVE-2026-26986
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
Dangling pointer
FreeRDP RLE planar decode OOB write before 3.23.0
CVE-2026-26965
8.8 - High
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data control-flowrelevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
Memory Corruption
FreeRDP <3.23.0 GDI Heap OOB via RDPGFX ClearCodec
CVE-2026-26955
8.8 - High
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Memory Corruption
FreeRDP <3.23.0 Crash via smartcard_unpack Bounds Check (WINPR_ASSERT)
CVE-2026-27015
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.
assertion failure
FreeRDP Buffer Overread in freerdp_image_copy_from_icon_data() <3.23
CVE-2026-26271
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.
Buffer Over-read
FreeRDP <3.23 UAF via xf_clipboard_format_equal & X11 thread
CVE-2026-25997
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP <3.23: Heap Use-After-Free in xf_cliprdr via XChangeProperty
CVE-2026-25959
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP before 3.23.0: XImage data reuse via freed RDPGFX surface
CVE-2026-25955
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP v<3.23.0 RAIL Unprotected xfAppWindow Pointer Deref
CVE-2026-25954
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP <3.23.0 UAF via RDPGFX DVC thread, CVE-2026-25953
CVE-2026-25953
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP 3.x RAIL Channel Nullptr Deref of Freed wf Window before v3.23
CVE-2026-25952
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Dangling pointer
FreeRDP <3.23.0 OOB Read in xf_rail_server_execute_result
CVE-2026-25942
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 06) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
Out-of-bounds Read
FreeRDP rdpGFX OOB Read <=2.11.8/<=3.23.0 via WIRE_TO_SURFACE_2
CVE-2026-25941
4.3 - Medium
- February 25, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.
Improper Input Validation
FreeRDP <3.22.0 Use-After-Free in RDPSND Async Playback
CVE-2026-24684
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP <3.22.0 Use-After-Free via unsynchronized channel_callback
CVE-2026-24683
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP BFA in audin_server_recv_formats pre 3.22.0
CVE-2026-24682
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, audin_server_recv_formats frees an incorrect number of audio formats on parse failure (i + i), leading to out-of-bounds access in audio_formats_free. This vulnerability is fixed in 3.22.0.
Heap-based Buffer Overflow
FreeRDP <3.22.0 UAF via async bulk transfer completions
CVE-2026-24681
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP SDL Pointer Double-Free in SDL_Pointer_Free before 3.22.0
CVE-2026-24680
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, sdl_Pointer_New frees data on failure, then pointer_free calls sdl_Pointer_Free and frees it again, triggering ASan UAF. This vulnerability is fixed in 3.22.0.
Dangling pointer
Out-of-bounds read in URBDRC libusb_udev_select_interface (FreeRDP < 3.22.0)
CVE-2026-24679
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
Heap-based Buffer Overflow
FreeRDP <=3.21 UAF via Ecam_Channel_Write (fixed 3.22.0)
CVE-2026-24678
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP <=3.21.0 ecam_encoder_compress_h264 OOB Read in sws_scale
CVE-2026-24677
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not validate the source buffer size, leading to an out-of-bounds read in sws_scale. This vulnerability is fixed in 3.22.0.
Dangling pointer
Use After Free in AUDIN Renegotiation (FreeRDP < 3.22.0)
CVE-2026-24676
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP <3.22.0 UAF in libusb_udev_select_interface
CVE-2026-24675
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP UAF in video_timer before 3.22.0 Release
CVE-2026-24491
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
Dangling pointer
FreeRDP rdp_write_logon_info_v2 Null Pointer Deref before 3.22
CVE-2026-23948
- February 09, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
NULL Pointer Dereference
FreeRDP <3.21.0 UAF via Offscreen Bitmap deletion
CVE-2026-23884
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a clientside use after free, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Dangling pointer
FreeRDP doublefree in xf_Pointer_New before 3.21.0 (UAF DoS)
CVE-2026-23883
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a clientside use after free, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Dangling pointer
FreeRDP FastGlyph parsing buffer overflow fixed in 3.21.0
CVE-2026-23732
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a clientside global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0 client heap overflow in ClearCodec decode path DoS/code exec
CVE-2026-23534
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0 Client Heap Buffer Overflow in RDPGFX ClearCodec
CVE-2026-23533
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0: Client-side Heap Buffer Overflow in gdi_SurfaceToSurface
CVE-2026-23532
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP clients `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0 ClearCodec OOB Read/Write Leading to Heap Buffer Overflow
CVE-2026-23531
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
FreeRDP <3.21.0 Heap Buffer Overflow in freerdp_bitmap_decompress_planar
CVE-2026-23530
- January 19, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a clientside heap buffer overflow, causing a crash (DoS) and potential heap corruption with codeexecution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Heap-based Buffer Overflow
Out-of-bounds read in FreeRDP URBDRC client <3.20.1
CVE-2026-22859
- January 14, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on serversupplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an outofbounds read. This vulnerability is fixed in 3.20.1.
Out-of-bounds Read
FreeRDP 3.20.1: fixed global-buffer-overflow in Base64 decoder (Arm/AArch64)
CVE-2026-22858
- January 14, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
Out-of-bounds Read
FreeRDP 3.20.0 Heap Use-After-Free in irp_thread_func
CVE-2026-22857
- January 14, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
Dangling pointer
FreeRDP heap UAF in serial channel IRP tracking (pre 3.20.1)
CVE-2026-22856
- January 14, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap useafterfree when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
Race Condition
FreeRDP 3.20.1 Patch for Heap OOB in SMARTCARD SetAttrib Path
CVE-2026-22855
- January 14, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1.
Out-of-bounds Read
FreeRDP Drive Channel Heap Buffer Overflow before 3.20.1
CVE-2026-22854
- January 14, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
Heap-based Buffer Overflow
FreeRDP RDPEAR NDR Array Overflow (fixed in 3.20.1)
CVE-2026-22853
- January 14, 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEARs NDR array reader does not perform bounds checking on the onwire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
Memory Corruption
