CVE-2026-23533

CriticalPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

28 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server…

can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching of the heap buffer overflow in FreeRDP's RDPGFX ClearCodec decode path by upgrading to version 3.21.0 or later.

SI-10 Information Input Validation partial match

prevent

Mandates validation of RDPGFX ClearCodec residual data inputs to prevent out-of-bounds writes from malicious server data.

SI-16 Memory Protection partial match

prevent

Implements memory protections like ASLR and DEP to mitigate heap corruption and potential code execution from the buffer overflow.

Security SummaryAI

CVE-2026-23533 is a client-side heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.21.0. The issue resides in the RDPGFX ClearCodec decode path, where maliciously crafted residual data triggers out-of-bounds writes during color output processing. Classified under CWE-122 (Heap-based Buffer Overflow), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

A malicious RDP server can exploit this vulnerability against any client using a vulnerable FreeRDP version that connects to it. No special privileges or user interaction beyond initiating the connection are required. Successful exploitation causes a client-side heap buffer overflow, reliably leading to a denial-of-service crash, with potential for heap corruption and arbitrary code execution depending on the memory allocator's behavior and surrounding heap layout.

The FreeRDP project addressed this in version 3.21.0, which includes a patch for the ClearCodec decode path. Security practitioners should upgrade to FreeRDP 3.21.0 or later. Detailed information is available in the project's security advisory (GHSA-32q9-m5qr-9j2v) and release notes, with code changes visible in the clear.c source file around lines 268-281 and 336.

Details

CWE(s): CWE-122

Affected Products

freerdp

≤ 3.21.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side heap buffer overflow in FreeRDP (RDP client) exploitable by a malicious RDP server upon connection, enabling arbitrary code execution which directly maps to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
Release Notes · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v
Exploit, Vendor Advisory · security-advisories@github.com