CVE-2026-26955 Overview
CVE-2026-26955 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., xfreerdp) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle.
The gdi_SurfaceCommand_ClearCodec() handler does not call is_within_surface() to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled cmd->left/cmd->top (and subcodec rectangle offsets) to reach image copy routines that write into surface->data without bounds enforcement.
Critical Impact
The out-of-bounds write corrupts an adjacent gdiGfxSurface struct's codecs* pointer with attacker-controlled pixel data. Corruption of codecs* is sufficient to reach an indirect function pointer call (NSC_CONTEXT.decode at nsc.c:500) on a subsequent codec command, providing full instruction pointer (RIP) control as demonstrated in the exploitability harness.
Affected Products
- FreeRDP versions prior to 3.23.0
- FreeRDP clients using GDI surface pipeline (e.g., xfreerdp)
- Applications built on FreeRDP libraries with RDPGFX ClearCodec support
Discovery Timeline
- 2026-02-25 - CVE-2026-26955 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-26955
Vulnerability Analysis
This vulnerability (CWE-787: Out-of-bounds Write) exists in the ClearCodec surface command handler within FreeRDP's GDI graphics pipeline. The root issue stems from insufficient validation of destination rectangle coordinates provided by an RDP server before performing memory write operations.
When processing RDPGFX ClearCodec commands, the client receives destination coordinates (cmd->left, cmd->top) and subcodec rectangle offsets from the server. These values are used to calculate write positions within the surface->data buffer. However, the vulnerable code path fails to verify that the calculated destination positions fall within the actual surface boundaries.
The exploitation chain involves multiple stages: first, the attacker sends a crafted ClearCodec command with out-of-bounds coordinates that causes pixel data to be written beyond the allocated surface buffer. This out-of-bounds write precisely corrupts the codecs* pointer in an adjacent gdiGfxSurface structure. On a subsequent codec command, the corrupted pointer leads to an indirect function call through NSC_CONTEXT.decode, giving the attacker full control over the instruction pointer (RIP).
Root Cause
The vulnerability originates in libfreerdp/codec/clear.c where destination bounds checking incorrectly compared against source dimensions (nWidth, nHeight) instead of destination surface dimensions (nDstWidth, nDstHeight). This logic error allowed malicious servers to specify coordinates that exceed the actual destination buffer size while still passing the incorrect validation checks.
Attack Vector
This is a network-based attack requiring user interaction. An attacker operating a malicious RDP server can exploit this vulnerability when a victim connects using a vulnerable FreeRDP client. The attack flow involves:
- Victim initiates RDP connection to attacker-controlled server
- Malicious server sends crafted RDPGFX ClearCodec surface command with out-of-bounds destination rectangle
- Client processes command without proper bounds validation
- Heap buffer overflow corrupts adjacent gdiGfxSurface structure
- Subsequent codec command triggers indirect call through corrupted function pointer
- Attacker achieves arbitrary code execution on client system
// Security patch from libfreerdp/codec/clear.c
// Source: https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77
const UINT32 nXDstRel = nXDst + xStart;
const UINT32 nYDstRel = nYDst + yStart;
- if (1ull * nXDstRel + width > nWidth)
+ if (1ull * nXDstRel + width > nDstWidth)
{
- WLog_ERR(TAG, "nXDstRel %" PRIu16 " + width %" PRIu16 " > nWidth %" PRIu32 "", xStart,
- width, nWidth);
+ WLog_ERR(TAG, "nXDstRel %" PRIu32 " + width %" PRIu16 " > nDstWidth %" PRIu32 "",
+ nXDstRel, width, nDstWidth);
return FALSE;
}
- if (1ull * nYDstRel + height > nHeight)
+ if (1ull * nYDstRel + height > nDstHeight)
{
- WLog_ERR(TAG, "nYDstRel %" PRIu16 " + height %" PRIu16 " > nHeight %" PRIu32 "", yStart,
- height, nHeight);
+ WLog_ERR(TAG, "nYDstRel %" PRIu32 " + height %" PRIu16 " > nDstHeight %" PRIu32 "",
+ nYDstRel, height, nDstHeight);
return FALSE;
}
The patch corrects the bounds validation by checking destination coordinates against actual destination surface dimensions (nDstWidth, nDstHeight) rather than source dimensions.
Detection Methods for CVE-2026-26955
Indicators of Compromise
- Unexpected crashes or memory corruption in FreeRDP client processes (xfreerdp, wlfreerdp)
- RDP connections to untrusted or unknown servers followed by client abnormal termination
- Heap corruption signatures in crash dumps involving gdiGfxSurface structures
- Suspicious RDPGFX ClearCodec surface commands with large offset values in network traffic
Detection Strategies
- Monitor for FreeRDP client crashes with heap corruption indicators, particularly in GDI surface handling code paths
- Implement network inspection for RDP traffic containing anomalous RDPGFX graphics commands with out-of-bounds rectangle coordinates
- Deploy endpoint detection rules to identify exploitation attempts targeting gdi_SurfaceCommand_ClearCodec() function
- Analyze RDP session metadata for connections to unrecognized or suspicious RDP servers
Monitoring Recommendations
- Enable verbose logging in FreeRDP clients to capture graphics command processing errors
- Configure crash dump collection for FreeRDP processes to facilitate forensic analysis
- Implement network segmentation and monitoring for outbound RDP connections to non-corporate resources
- Deploy SentinelOne Singularity platform for real-time memory protection and behavioral analysis of RDP client processes
How to Mitigate CVE-2026-26955
Immediate Actions Required
- Upgrade FreeRDP to version 3.23.0 or later immediately on all systems
- Restrict RDP client usage to connect only to trusted, verified RDP servers
- Implement network controls to prevent connections to untrusted external RDP endpoints
- Review and audit recent RDP connection logs for suspicious server connections
Patch Information
The vulnerability has been patched in FreeRDP version 3.23.0. The fix is available in commit 7d8fdce2d0ef337cb86cb37fc0c436c905e04d77. Users should upgrade to the patched version to receive the security fix that properly validates destination rectangle bounds against actual surface dimensions.
For detailed information, refer to the GitHub Security Advisory GHSA-mr6w-ch7c-mqqj.
Workarounds
- Avoid connecting to untrusted or unknown RDP servers until the patch is applied
- Disable GDI surface pipeline if feasible (use alternative rendering backends if available)
- Implement network-level controls to whitelist approved RDP server destinations
- Run FreeRDP clients in sandboxed environments to limit potential impact of exploitation
# Verify FreeRDP version to ensure patched version is installed
xfreerdp --version
# Update FreeRDP on Debian/Ubuntu systems
sudo apt update && sudo apt install freerdp2-x11
# Update FreeRDP on RHEL/CentOS systems
sudo dnf update freerdp
# Build from source with patched version
git clone https://github.com/FreeRDP/FreeRDP.git
cd FreeRDP
git checkout 3.23.0
cmake -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build
sudo cmake --install build
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
