CVE-2026-23530

CriticalPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

28 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap…

corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and timely patching of flaws like the heap buffer overflow in FreeRDP's freerdp_bitmap_decompress_planar, as fixed in version 3.21.0.

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs such as nSrcWidth and nSrcHeight against maxWidth and maxHeight prior to RLE decompression to prevent the buffer overflow.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards like non-executable heap regions and randomization to mitigate code execution risks from heap corruption caused by the unvalidated bitmap decompression.

Security SummaryAI

CVE-2026-23530 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.21.0. The flaw occurs in the `freerdp_bitmap_decompress_planar` function, which does not validate the `nSrcWidth` and `nSrcHeight` parameters against `planar->maxWidth` and `maxHeight` before performing RLE decompression. Classified as CWE-122, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote attacker controlling a malicious RDP server can exploit this issue against a connecting FreeRDP client by sending crafted bitmap data. No user privileges or interaction are required, enabling low-complexity network-based attacks that trigger a client-side heap buffer overflow. This results in application crashes for denial of service, with potential heap corruption that could lead to code execution depending on the memory allocator and surrounding heap layout.

FreeRDP version 3.21.0 includes a patch resolving the vulnerability. Mitigation involves updating to this version or later, as detailed in the project's release notes and security advisory (GHSA-r4hv-852m-fq7p). Code changes addressing the validation are visible in the affected planar.c source files.

Details

CWE(s): CWE-122

Affected Products

freerdp

≤ 3.21.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in FreeRDP client exploitable by malicious RDP server via crafted bitmap data enables remote code execution through client application vulnerability.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
Release Notes · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p
Exploit, Vendor Advisory · security-advisories@github.com