CVE-2026-44421

Name
CVE-2026-44421
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* freerdp >= None < 3.26.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
freerdp edge-community 3.25.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.24.2-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.24.1-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.24.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.23.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.22.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.21.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.20.2-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.20.0-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.20.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.18.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r3 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.15.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.14.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.10.3-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.10.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.10.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.11.7-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.11.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.9.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.4.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.2.0-r0 None possibly vulnerable
freerdp edge-community 2.1.2-r0 None possibly vulnerable
freerdp edge-community 2.0.0_rc4-r0 None possibly vulnerable
freerdp edge-community 2.0.0-r1 None possibly vulnerable
freerdp edge-community 2.0.0-r0 None possibly vulnerable
freerdp 3.23-community 3.24.2-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.24.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.23.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.22.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.18.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable