CVE-2026-40033

CVE-2026-40033

Name

CVE-2026-40033

Description

FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
disclosure@vulncheck.com	https://github.com/FreeRDP/FreeRDP/commit/23b36cd00ebf0ccd97750fcdbc9aa2f362352da7
disclosure@vulncheck.com	https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff
disclosure@vulncheck.com	https://www.vulncheck.com/advisories/freerdp-heap-buffer-overflow-in-gdi-cachetosurface-via-rectangle-validation-bypass

Type

URI

disclosure@vulncheck.com

https://github.com/FreeRDP/FreeRDP/commit/23b36cd00ebf0ccd97750fcdbc9aa2f362352da7

disclosure@vulncheck.com

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/freerdp-heap-buffer-overflow-in-gdi-cachetosurface-via-rectangle-validation-bypass

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:freerdp:freerdp::::::::`	freerdp	>= None	< 3.26.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

freerdp

>= None

< 3.26.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
freerdp	edge-community	3.25.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.24.2-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.24.1-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.24.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.23.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.22.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.21.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.20.2-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	edge-community	3.20.0-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.20.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.18.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.16.0-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.16.0-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.16.0-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.16.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.15.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.14.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.10.3-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.10.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	3.10.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	2.11.7-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	2.11.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	2.9.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	2.4.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
freerdp	edge-community	2.2.0-r0	None	possibly vulnerable
freerdp	edge-community	2.1.2-r0	None	possibly vulnerable
freerdp	edge-community	2.0.0_rc4-r0	None	possibly vulnerable
freerdp	edge-community	2.0.0-r1	None	possibly vulnerable
freerdp	edge-community	2.0.0-r0	None	possibly vulnerable
freerdp	3.23-community	3.24.2-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	3.23-community	3.24.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	3.23-community	3.23.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	3.23-community	3.22.0-r0	Lindsay Zhou <i@lin.moe>	possibly vulnerable
freerdp	3.23-community	3.18.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages