CVE-2026-40033 Overview
CVE-2026-40033 is a heap-buffer-overflow vulnerability in FreeRDP versions prior to 3.26.0. The flaw resides in the gdi_CacheToSurface function, where rectangle validation clamps coordinates to UINT16_MAX but executes copy operations using unclamped cache entry dimensions. A malicious Remote Desktop Protocol (RDP) server can exploit this mismatch to trigger large out-of-bounds heap writes against a connecting client. Successful exploitation can lead to remote code execution or client process crash. The vulnerability is tracked under [CWE-122] Heap-Based Buffer Overflow and affects all FreeRDP deployments that connect to untrusted RDP servers.
Critical Impact
A malicious RDP server can write attacker-controlled data outside heap buffer boundaries on the client, enabling remote code execution against any user who connects.
Affected Products
- FreeRDP versions prior to 3.26.0
- All client applications statically or dynamically linked against vulnerable FreeRDP libraries
- Downstream distributions packaging FreeRDP below 3.26.0
Discovery Timeline
- 2026-05-26 - CVE-2026-40033 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-40033
Vulnerability Analysis
The defect exists in the GDI surface caching path of FreeRDP. The gdi_CacheToSurface routine handles server-issued orders that copy bitmap data from a cache entry into a destination surface. Before performing the copy, the code validates the destination rectangle and clamps its coordinates to UINT16_MAX. However, the byte-count used for the actual memory write derives from the cache entry's stored width and height, which the validation step never bounds. A malicious server crafts a cache entry whose dimensions exceed the destination rectangle, and the resulting copy overflows the heap allocation backing the surface. Because the attacker controls both the source bytes and the overflow length, the primitive is suitable for memory corruption leading to control-flow hijacking on the client.
Root Cause
The root cause is inconsistent boundary enforcement between validation and execution. Rectangle coordinates pass through a clamping check, but the subsequent copy uses unclamped cache dimensions. This asymmetry between checked and used values is a classic validation-bypass pattern, producing a heap-based buffer overflow [CWE-122].
Attack Vector
Exploitation requires a victim to initiate an RDP session to an attacker-controlled or compromised server. User interaction is required to initiate the connection, after which the malicious server sends crafted cache-to-surface orders during normal protocol exchange. No client-side authentication weakness is required, and the vulnerability is reachable over any network path that the client uses to reach the server.
// Excerpt from the upstream fix merge (PR #12635) in client/SDL/SDL3/sdl_context.cpp
case SDL_EVENT_WINDOW_MOUSE_ENTER:
return restoreCursor();
case SDL_EVENT_WINDOW_DISPLAY_SCALE_CHANGED:
+ if (!resizeToScale(window))
+ return false;
if (isConnected())
{
if (!window->fill())
Source: FreeRDP fix commit 23b36cd
Detection Methods for CVE-2026-40033
Indicators of Compromise
- FreeRDP client processes (xfreerdp, wlfreerdp, sdl-freerdp) crashing with heap corruption signatures shortly after connecting to a remote host
- Outbound RDP sessions (TCP 3389) initiated to untrusted or newly observed external destinations
- Anomalous child processes spawned by FreeRDP client binaries following an RDP session
- Core dumps or crash reports referencing gdi_CacheToSurface in the call stack
Detection Strategies
- Inventory installed FreeRDP versions across endpoints and flag any release below 3.26.0
- Monitor for FreeRDP client crashes by collecting application error events and signal-11 terminations
- Inspect outbound RDP connections from workstations to non-corporate IP ranges and apply allow-listing for known servers
- Hunt for post-exploitation behavior such as FreeRDP processes writing executables or invoking shells
Monitoring Recommendations
- Forward endpoint process telemetry and crash events into a centralized data lake for correlation across hosts
- Apply behavioral detections that flag memory corruption patterns originating from RDP client binaries
- Track FreeRDP version drift over time and alert on hosts that fall out of patch compliance
How to Mitigate CVE-2026-40033
Immediate Actions Required
- Upgrade FreeRDP and all dependent packages to version 3.26.0 or later on every endpoint and server that initiates RDP sessions
- Restrict outbound RDP traffic to a vetted list of internal destinations using host or network firewalls
- Audit third-party applications that bundle FreeRDP libraries and apply vendor updates as they become available
- Educate users to avoid connecting to RDP endpoints received via email, chat, or untrusted links
Patch Information
The vulnerability is fixed in FreeRDP 3.26.0. The upstream fix is delivered through merge commit 23b36cd00ebf0ccd97750fcdbc9aa2f362352da7 and documented in the GitHub Security Advisory GHSA-p6r2-4hgm-m6ff. Additional technical context is available in the VulnCheck advisory.
Workarounds
- Block outbound TCP 3389 at the perimeter except to explicitly approved corporate RDP gateways
- Route RDP sessions through an authenticated RDP gateway or jump host that brokers connections to known-good servers
- Disable or remove FreeRDP clients on systems that do not require RDP connectivity
# Verify the installed FreeRDP version and upgrade where required
xfreerdp --version
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade freerdp2-x11 freerdp3-x11
# Fedora/RHEL
sudo dnf upgrade freerdp
# Restrict outbound RDP at the host firewall (Linux nftables example)
sudo nft add rule inet filter output tcp dport 3389 ip daddr != 10.0.0.0/8 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
