Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
FreeRDP before 3.26.0 allows remote code execution
DEBIAN-CVE-2026-40033
Summary
FreeRDP, a remote desktop protocol software, has a security flaw that could allow hackers to take control of your computer or make it crash. This is a serious issue because it could be exploited by malicious servers to compromise your system. To protect yourself, update to version 3.26.0 or later.
What to do
- Update debian freerdp3 to version 3.26.0+dfsg-1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | freerdp2 | All versions |
| Debian:12 | debian | freerdp2 | All versions |
| Debian:13 | debian | freerdp3 | All versions |
| Debian:14 | debian | freerdp3 |
< 3.26.0+dfsg-1 Fix: upgrade to 3.26.0+dfsg-1
|
Original title
FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle...
Original description
FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.
osv CVSS4.0
9.9
- https://security-tracker.debian.org/tracker/CVE-2026-40033 Vendor Advisory
Published: 26 May 2026 · Updated: 30 May 2026 · First seen: 30 May 2026