Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31806

CVE-2026-31806: FreeRDP Buffer Overflow Vulnerability

CVE-2026-31806 is a heap buffer overflow vulnerability in FreeRDP that allows malicious RDP servers to execute arbitrary code. This article covers the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-31806 Overview

CVE-2026-31806 is a critical heap buffer overflow vulnerability in FreeRDP, the widely-used open-source implementation of the Remote Desktop Protocol (RDP). The vulnerability exists in the gdi_surface_bits() function which processes SURFACE_BITS_COMMAND messages from RDP servers. When using NSCodec for bitmap decoding, the bmp.width and bmp.height values provided by the server are not properly validated against actual desktop dimensions, allowing a malicious RDP server to trigger a heap buffer overflow with attacker-controlled data.

Critical Impact

A malicious RDP server can exploit this vulnerability to achieve remote code execution on connecting clients by sending crafted bitmap dimensions that cause heap memory corruption with attacker-controlled pixel data.

Affected Products

  • FreeRDP versions prior to 3.24.0
  • Applications and systems using vulnerable FreeRDP libraries
  • RDP client implementations built on FreeRDP

Discovery Timeline

  • 2026-03-13 - CVE CVE-2026-31806 published to NVD
  • 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-31806

Vulnerability Analysis

This heap buffer overflow (CWE-122) occurs in the NSCodec bitmap processing path within FreeRDP. The vulnerable gdi_surface_bits() function accepts SURFACE_BITS_COMMAND messages from RDP servers without adequately validating that the bitmap dimensions conform to the actual desktop surface boundaries. When a malicious server supplies bmp.width and bmp.height values that exceed the expected surface size, subsequent memory operations during bitmap decoding write beyond allocated heap buffer boundaries.

The critical aspect of this vulnerability is that attackers can control not only the overflow trigger (via crafted dimensions) but also the overflow content (via the associated pixel data). This level of control over both the overflow size and content significantly increases exploitability for achieving arbitrary code execution.

Root Cause

The root cause is insufficient bounds validation in the nsc_process_message function within libfreerdp/codec/nsc.c. Prior to the fix, the function passed width and height values directly to freerdp_image_copy_no_overlap() without verifying these dimensions against the destination buffer boundaries (nWidth and nHeight). This allowed copy operations to exceed the allocated destination buffer size when server-supplied dimensions were larger than the actual desktop dimensions.

Attack Vector

This vulnerability is exploitable over the network by a malicious RDP server. The attack scenario involves:

  1. An attacker sets up a rogue RDP server or compromises an existing one
  2. A victim client connects to the malicious server using a vulnerable FreeRDP client
  3. The server sends a SURFACE_BITS_COMMAND with oversized bmp.width and bmp.height values
  4. The client's NSCodec decoder processes the message without proper bounds checking
  5. The heap buffer overflow occurs, potentially overwriting adjacent memory with attacker-controlled pixel data
  6. Depending on heap layout, this can lead to arbitrary code execution on the client system

The following patch demonstrates the fix implemented in version 3.24.0:

c
 		return FALSE;
 	}
 
-	return (freerdp_image_copy_no_overlap(pDstData, DstFormat, nDstStride, nXDst, nYDst, width,
-	                                      height, context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0,
-	                                      nullptr, flip));
+	uint32_t cwidth = width;
+	if (1ull * nXDst + width > nWidth)
+		cwidth = nWidth - nXDst;
+
+	uint32_t cheight = height;
+	if (1ull * nYDst + height > nHeight)
+		cheight = nHeight - nYDst;
+
+	return (freerdp_image_copy_no_overlap(pDstData, DstFormat, nDstStride, nXDst, nYDst, cwidth,
+	                                      cheight, context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0,
+	                                      0, nullptr, flip));
 }

Source: GitHub Commit

The patch introduces bounds checking by calculating constrained width (cwidth) and height (cheight) values that respect the destination buffer boundaries before performing the copy operation.

Detection Methods for CVE-2026-31806

Indicators of Compromise

  • Unexpected crashes or memory corruption in FreeRDP client processes
  • RDP sessions from unknown or suspicious server addresses
  • Abnormal memory usage patterns in processes utilizing FreeRDP libraries
  • Application crashes occurring during RDP bitmap rendering operations

Detection Strategies

  • Monitor for FreeRDP client process crashes with heap corruption signatures
  • Implement network monitoring to detect RDP connections to untrusted or unknown servers
  • Deploy endpoint detection rules for anomalous memory operations in RDP client processes
  • Review system logs for repeated FreeRDP crashes or segmentation faults

Monitoring Recommendations

  • Enable verbose logging in FreeRDP clients to capture bitmap processing errors
  • Implement network traffic analysis for RDP protocol anomalies
  • Monitor endpoint behavior for signs of post-exploitation activity following RDP sessions
  • Track FreeRDP library version inventory across the environment

How to Mitigate CVE-2026-31806

Immediate Actions Required

  • Upgrade FreeRDP to version 3.24.0 or later immediately
  • Restrict RDP client connections to trusted, known servers only
  • Implement network segmentation to limit exposure of RDP clients
  • Audit all systems and applications using FreeRDP libraries for vulnerable versions

Patch Information

The vulnerability is fixed in FreeRDP version 3.24.0. The fix adds proper bounds checking in the nsc_process_message function to ensure bitmap dimensions do not exceed destination buffer boundaries. The security patch is available via the GitHub Commit. Additional details are available in the GitHub Security Advisory GHSA-rrqm-46rj-cmx2.

Workarounds

  • Only connect to trusted RDP servers until patching is complete
  • Use VPN or other secure tunnels for RDP connections to reduce man-in-the-middle attack risk
  • Disable NSCodec if possible (may impact performance/quality but removes this attack vector)
  • Implement application-level firewall rules to block unauthorized RDP connections
bash
# Check FreeRDP version to identify vulnerable installations
xfreerdp --version

# Update FreeRDP on Debian/Ubuntu systems
sudo apt update && sudo apt install freerdp2-x11

# For systems building from source, update to 3.24.0 or later
git clone https://github.com/FreeRDP/FreeRDP.git
cd FreeRDP
git checkout 3.24.0
cmake -B build && cmake --build build
sudo cmake --install build

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne