FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.
References
| Link | Resource |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff | Exploit Mitigation Vendor Advisory |
| https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff | Exploit Mitigation Vendor Advisory |
Configurations
History
01 Jun 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff - Exploit, Mitigation, Vendor Advisory |
01 Jun 2026, 17:35
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* | |
| References | () https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff - Exploit, Vendor Advisory, Mitigation | |
| First Time |
Freerdp freerdp
Freerdp |
29 May 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-29 20:16
Updated : 2026-06-01 19:16
NVD link : CVE-2026-44421
Mitre link : CVE-2026-44421
CVE.ORG link : CVE-2026-44421
JSON object : View
Products Affected
freerdp
- freerdp
CWE
CWE-122
Heap-based Buffer Overflow