CVE-2026-31806: FreeRDP Buffer Overflow Vulnerability

CVE-2026-31806 Overview

CVE-2026-31806 is a critical heap buffer overflow vulnerability in FreeRDP, the widely-used open-source implementation of the Remote Desktop Protocol (RDP). The vulnerability exists in the gdi_surface_bits() function which processes SURFACE_BITS_COMMAND messages from RDP servers. When using NSCodec for bitmap decoding, the bmp.width and bmp.height values provided by the server are not properly validated against actual desktop dimensions, allowing a malicious RDP server to trigger a heap buffer overflow with attacker-controlled data.

Critical Impact
A malicious RDP server can exploit this vulnerability to achieve remote code execution on connecting clients by sending crafted bitmap dimensions that cause heap memory corruption with attacker-controlled pixel data.

Affected Products

FreeRDP versions prior to 3.24.0
Applications and systems using vulnerable FreeRDP libraries
RDP client implementations built on FreeRDP

Discovery Timeline

2026-03-13 - CVE CVE-2026-31806 published to NVD
2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-31806

Vulnerability Analysis

This heap buffer overflow (CWE-122) occurs in the NSCodec bitmap processing path within FreeRDP. The vulnerable gdi_surface_bits() function accepts SURFACE_BITS_COMMAND messages from RDP servers without adequately validating that the bitmap dimensions conform to the actual desktop surface boundaries. When a malicious server supplies bmp.width and bmp.height values that exceed the expected surface size, subsequent memory operations during bitmap decoding write beyond allocated heap buffer boundaries.

The critical aspect of this vulnerability is that attackers can control not only the overflow trigger (via crafted dimensions) but also the overflow content (via the associated pixel data). This level of control over both the overflow size and content significantly increases exploitability for achieving arbitrary code execution.

Root Cause

The root cause is insufficient bounds validation in the nsc_process_message function within libfreerdp/codec/nsc.c. Prior to the fix, the function passed width and height values directly to freerdp_image_copy_no_overlap() without verifying these dimensions against the destination buffer boundaries (nWidth and nHeight). This allowed copy operations to exceed the allocated destination buffer size when server-supplied dimensions were larger than the actual desktop dimensions.

Attack Vector

This vulnerability is exploitable over the network by a malicious RDP server. The attack scenario involves:

An attacker sets up a rogue RDP server or compromises an existing one
A victim client connects to the malicious server using a vulnerable FreeRDP client
The server sends a SURFACE_BITS_COMMAND with oversized bmp.width and bmp.height values
The client's NSCodec decoder processes the message without proper bounds checking
The heap buffer overflow occurs, potentially overwriting adjacent memory with attacker-controlled pixel data
Depending on heap layout, this can lead to arbitrary code execution on the client system

The following patch demonstrates the fix implemented in version 3.24.0:

 		return FALSE;
 	}
 
-	return (freerdp_image_copy_no_overlap(pDstData, DstFormat, nDstStride, nXDst, nYDst, width,
-	                                      height, context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0,
-	                                      nullptr, flip));
+	uint32_t cwidth = width;
+	if (1ull * nXDst + width > nWidth)
+		cwidth = nWidth - nXDst;
+
+	uint32_t cheight = height;
+	if (1ull * nYDst + height > nHeight)
+		cheight = nHeight - nYDst;
+
+	return (freerdp_image_copy_no_overlap(pDstData, DstFormat, nDstStride, nXDst, nYDst, cwidth,
+	                                      cheight, context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0,
+	                                      0, nullptr, flip));
 }

Source: GitHub Commit

The patch introduces bounds checking by calculating constrained width (cwidth) and height (cheight) values that respect the destination buffer boundaries before performing the copy operation.

Detection Methods for CVE-2026-31806

Indicators of Compromise

Unexpected crashes or memory corruption in FreeRDP client processes
RDP sessions from unknown or suspicious server addresses
Abnormal memory usage patterns in processes utilizing FreeRDP libraries
Application crashes occurring during RDP bitmap rendering operations

Detection Strategies

Monitor for FreeRDP client process crashes with heap corruption signatures
Implement network monitoring to detect RDP connections to untrusted or unknown servers
Deploy endpoint detection rules for anomalous memory operations in RDP client processes
Review system logs for repeated FreeRDP crashes or segmentation faults

Monitoring Recommendations

Enable verbose logging in FreeRDP clients to capture bitmap processing errors
Implement network traffic analysis for RDP protocol anomalies
Monitor endpoint behavior for signs of post-exploitation activity following RDP sessions
Track FreeRDP library version inventory across the environment

How to Mitigate CVE-2026-31806

Immediate Actions Required

Upgrade FreeRDP to version 3.24.0 or later immediately
Restrict RDP client connections to trusted, known servers only
Implement network segmentation to limit exposure of RDP clients
Audit all systems and applications using FreeRDP libraries for vulnerable versions

Patch Information

The vulnerability is fixed in FreeRDP version 3.24.0. The fix adds proper bounds checking in the nsc_process_message function to ensure bitmap dimensions do not exceed destination buffer boundaries. The security patch is available via the GitHub Commit. Additional details are available in the GitHub Security Advisory GHSA-rrqm-46rj-cmx2.

Workarounds

Only connect to trusted RDP servers until patching is complete
Use VPN or other secure tunnels for RDP connections to reduce man-in-the-middle attack risk
Disable NSCodec if possible (may impact performance/quality but removes this attack vector)
Implement application-level firewall rules to block unauthorized RDP connections

bash

# Check FreeRDP version to identify vulnerable installations
xfreerdp --version

# Update FreeRDP on Debian/Ubuntu systems
sudo apt update && sudo apt install freerdp2-x11

# For systems building from source, update to 3.24.0 or later
git clone https://github.com/FreeRDP/FreeRDP.git
cd FreeRDP
git checkout 3.24.0
cmake -B build && cmake --build build
sudo cmake --install build

CVE-2026-31806 Overview

Critical Impact
A malicious RDP server can exploit this vulnerability to achieve remote code execution on connecting clients by sending crafted bitmap dimensions that cause heap memory corruption with attacker-controlled pixel data.

Affected Products

FreeRDP versions prior to 3.24.0
Applications and systems using vulnerable FreeRDP libraries
RDP client implementations built on FreeRDP

Discovery Timeline

2026-03-13 - CVE CVE-2026-31806 published to NVD
2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-31806

Vulnerability Analysis

Root Cause

Attack Vector

This vulnerability is exploitable over the network by a malicious RDP server. The attack scenario involves:

An attacker sets up a rogue RDP server or compromises an existing one
A victim client connects to the malicious server using a vulnerable FreeRDP client
The server sends a SURFACE_BITS_COMMAND with oversized bmp.width and bmp.height values
The client's NSCodec decoder processes the message without proper bounds checking
The heap buffer overflow occurs, potentially overwriting adjacent memory with attacker-controlled pixel data
Depending on heap layout, this can lead to arbitrary code execution on the client system

The following patch demonstrates the fix implemented in version 3.24.0:

 		return FALSE;
 	}
 
-	return (freerdp_image_copy_no_overlap(pDstData, DstFormat, nDstStride, nXDst, nYDst, width,
-	                                      height, context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0,
-	                                      nullptr, flip));
+	uint32_t cwidth = width;
+	if (1ull * nXDst + width > nWidth)
+		cwidth = nWidth - nXDst;
+
+	uint32_t cheight = height;
+	if (1ull * nYDst + height > nHeight)
+		cheight = nHeight - nYDst;
+
+	return (freerdp_image_copy_no_overlap(pDstData, DstFormat, nDstStride, nXDst, nYDst, cwidth,
+	                                      cheight, context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0,
+	                                      0, nullptr, flip));
 }

Source: GitHub Commit

The patch introduces bounds checking by calculating constrained width (cwidth) and height (cheight) values that respect the destination buffer boundaries before performing the copy operation.

Detection Methods for CVE-2026-31806

Indicators of Compromise

Unexpected crashes or memory corruption in FreeRDP client processes
RDP sessions from unknown or suspicious server addresses
Abnormal memory usage patterns in processes utilizing FreeRDP libraries
Application crashes occurring during RDP bitmap rendering operations

Detection Strategies

Monitor for FreeRDP client process crashes with heap corruption signatures
Implement network monitoring to detect RDP connections to untrusted or unknown servers
Deploy endpoint detection rules for anomalous memory operations in RDP client processes
Review system logs for repeated FreeRDP crashes or segmentation faults

Monitoring Recommendations

Enable verbose logging in FreeRDP clients to capture bitmap processing errors
Implement network traffic analysis for RDP protocol anomalies
Monitor endpoint behavior for signs of post-exploitation activity following RDP sessions
Track FreeRDP library version inventory across the environment

How to Mitigate CVE-2026-31806

Immediate Actions Required

Upgrade FreeRDP to version 3.24.0 or later immediately
Restrict RDP client connections to trusted, known servers only
Implement network segmentation to limit exposure of RDP clients
Audit all systems and applications using FreeRDP libraries for vulnerable versions

Patch Information

Workarounds

Only connect to trusted RDP servers until patching is complete
Use VPN or other secure tunnels for RDP connections to reduce man-in-the-middle attack risk
Disable NSCodec if possible (may impact performance/quality but removes this attack vector)
Implement application-level firewall rules to block unauthorized RDP connections

bash

# Check FreeRDP version to identify vulnerable installations
xfreerdp --version

# Update FreeRDP on Debian/Ubuntu systems
sudo apt update && sudo apt install freerdp2-x11

# For systems building from source, update to 3.24.0 or later
git clone https://github.com/FreeRDP/FreeRDP.git
cd FreeRDP
git checkout 3.24.0
cmake -B build && cmake --build build
sudo cmake --install build

CVE-2026-31806: FreeRDP Buffer Overflow Vulnerability

CVE-2026-31806 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-31806

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-31806

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-31806

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-31806: FreeRDP Buffer Overflow Vulnerability

CVE-2026-31806 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-31806

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-31806

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-31806

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform