CVE-2026-23532

CriticalPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

28 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A…

malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and patching of the heap buffer overflow vulnerability in FreeRDP clients to version 3.21.0 or later.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms like ASLR and non-executable heap to mitigate exploitation of the heap buffer overflow for code execution.

AC-17 Remote Access partial match

prevent

Restricts and authorizes RDP client connections to trusted servers only, reducing exposure to malicious RDP servers that trigger the vulnerability.

Security SummaryAI

CVE-2026-23532 is a client-side heap buffer overflow vulnerability (CWE-122) in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The issue affects FreeRDP clients prior to version 3.21.0 and occurs in the `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size performed during surface operations.

A malicious RDP server can exploit this vulnerability against any unauthenticated client that connects to it over the network, requiring no user interaction or privileges (CVSSv3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation triggers a heap buffer overflow, reliably causing a client denial-of-service (crash) and potentially leading to heap corruption with code execution risk, contingent on the memory allocator's behavior and surrounding heap layout.

The FreeRDP project has addressed the vulnerability in version 3.21.0, as detailed in the project's security advisory (GHSA-fq8c-87hj-7gvr) and release notes. Security practitioners should update to FreeRDP 3.21.0 or later; the patch is visible in the codebase at libfreerdp/gdi/gfx.c lines 1368-1382.

Details

CWE(s): CWE-122

Affected Products

freerdp

≤ 3.21.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Client-side heap buffer overflow in FreeRDP RDP client exploitable by malicious server for code execution or DoS, directly enabling T1203: Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
Release Notes · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr
Exploit, Vendor Advisory · security-advisories@github.com