Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
FreeRDP: Remote Desktop Client Can Crash or Be Hacked
OESA-2026-1520
Summary
If you use FreeRDP, a malicious server can crash your computer or steal sensitive information. This is because the software has several security flaws that can be exploited by a hacker. To stay safe, update to the latest version of FreeRDP, which has fixed these issues.
What to do
- Update freerdp to version 2.11.8-1.oe2203sp4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | freerdp | <= 2.11.8-1.oe2203sp4 | 2.11.8-1.oe2203sp4 |
Original title
freerdp security update
Original description
FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft&apos;s
open specifications. This package provides the client applications xfreerdp.
Security Fix(es):
A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22852)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.(CVE-2026-22854)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when the `cbAttrLen` parameter does not match the actual NDR (Network Data Representation) buffer length. An attacker could potentially exploit this vulnerability to read sensitive information from process memory or cause the application to crash.(CVE-2026-22855)
A malicious server can trigger a client-side use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22856)
A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. The vulnerability exists in the irp_thread_func function.(CVE-2026-22857)
A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22859)
A heap-based buffer overflow vulnerability exists in FreeRDP within the planar_decompress_plane_rle function, which may lead to memory corruption and arbitrary code execution.(CVE-2026-23530)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 3.21.0, a heap buffer overflow vulnerability existed in the ClearCodec component. Specifically, when `glyphData` is present, the `clear_decompress` function calls `freerdp_image_copy_no_overlap` without validating the destination rectangle. This allows for out-of-bounds read/write operations when processing crafted RDPGFX surface updates. A malicious server can exploit this to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potential heap corruption. Depending on allocator behavior and surrounding heap layout, there is a risk of arbitrary code execution.(CVE-2026-23531)
A heap-buffer-overflow vulnerability exists in FreeRDP software that could allow an attacker to execute arbitrary code or cause denial of service on affected systems. This vulnerability affects the gdi_SurfaceToSurface function and is present in versions 3.20.2 and earlier.(CVE-2026-23532)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow vulnerability exists in the RDPGFX ClearCodec decode path, specifically in the `clear_decompress_residual_data` function. When processing maliciously crafted residual data, out-of-bounds writes occur during color output. A malicious server can exploit this to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potential heap corruption. Depending on allocator behavior and surrounding heap layout, there is a risk of arbitrary code execution.(CVE-2026-23533)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 3.21.0, a client-side heap buffer overflow vulnerability exists in the ClearCodec bands decode path. When a malicious server sends crafted band coordinates, it allows writes past the end of the destination surface buffer. This can be exploited to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potentially leading to heap corruption with the risk of arbitrary code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-23534)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, the FastGlyph parsing process trusts `cbData`/remaining length but never validates it against the minimum size implied by `cx`/`cy`. A malicious server can exploit this vulnerability to trigger a client-side global heap buffer overflow, causing a crash and resulting in a denial of service.(CVE-2026-23732)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, the `xf_Pointer_New` function frees the `cursorPixels` memory on failure. Subsequently, the `pointer_free` function calls `xf_Pointer_Free`, which attempts to free the same memory again, triggering an AddressSanitizer (ASan) detected use-after-free (UAF). A malicious server can trigger a client-side use-after-free, causing a crash (Denial of Service) and potentially leading to heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-23883)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a use-after-free vulnerability exists. Specifically, the deletion of an offscreen bitmap leaves the `gdi->drawing` pointer referencing freed memory. When subsequent related update packets are processed, this leads to a use-after-free condition. A malicious server can exploit this vulnerability when a client connects, causing a client-side crash (Denial of Service) and potentially leading to heap corruption. Depending on allocator behavior and heap layout, there is a risk of arbitrary code execution.(CVE-2026-23884)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24491)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24675)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.(CVE-2026-24676)
A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24679)
A malicious server can trigger a client-side heap use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24681)
A malicious server can trigger a client‑side heap buffer over flow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24682)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24683)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24684)
This is an out-of-bounds read vulnerability affecting FreeRDP clients. A malicious RDP server can exploit this to:
1. **Information Disclosure**: Read sensitive data from the client's heap memory
2. **Denial of Service**: Cause client crashes through memory access violations
The attack requires user interaction (connecting to a malicious server), but no authentication is needed on the server side.(CVE-2026-25941)
A malicious server can trigger a client-side heap use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-25997)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.(CVE-2026-26271)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.(CVE-2026-26986)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.(CVE-2026-27015)
open specifications. This package provides the client applications xfreerdp.
Security Fix(es):
A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22852)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.(CVE-2026-22854)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when the `cbAttrLen` parameter does not match the actual NDR (Network Data Representation) buffer length. An attacker could potentially exploit this vulnerability to read sensitive information from process memory or cause the application to crash.(CVE-2026-22855)
A malicious server can trigger a client-side use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22856)
A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. The vulnerability exists in the irp_thread_func function.(CVE-2026-22857)
A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22859)
A heap-based buffer overflow vulnerability exists in FreeRDP within the planar_decompress_plane_rle function, which may lead to memory corruption and arbitrary code execution.(CVE-2026-23530)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 3.21.0, a heap buffer overflow vulnerability existed in the ClearCodec component. Specifically, when `glyphData` is present, the `clear_decompress` function calls `freerdp_image_copy_no_overlap` without validating the destination rectangle. This allows for out-of-bounds read/write operations when processing crafted RDPGFX surface updates. A malicious server can exploit this to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potential heap corruption. Depending on allocator behavior and surrounding heap layout, there is a risk of arbitrary code execution.(CVE-2026-23531)
A heap-buffer-overflow vulnerability exists in FreeRDP software that could allow an attacker to execute arbitrary code or cause denial of service on affected systems. This vulnerability affects the gdi_SurfaceToSurface function and is present in versions 3.20.2 and earlier.(CVE-2026-23532)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow vulnerability exists in the RDPGFX ClearCodec decode path, specifically in the `clear_decompress_residual_data` function. When processing maliciously crafted residual data, out-of-bounds writes occur during color output. A malicious server can exploit this to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potential heap corruption. Depending on allocator behavior and surrounding heap layout, there is a risk of arbitrary code execution.(CVE-2026-23533)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 3.21.0, a client-side heap buffer overflow vulnerability exists in the ClearCodec bands decode path. When a malicious server sends crafted band coordinates, it allows writes past the end of the destination surface buffer. This can be exploited to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potentially leading to heap corruption with the risk of arbitrary code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-23534)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, the FastGlyph parsing process trusts `cbData`/remaining length but never validates it against the minimum size implied by `cx`/`cy`. A malicious server can exploit this vulnerability to trigger a client-side global heap buffer overflow, causing a crash and resulting in a denial of service.(CVE-2026-23732)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, the `xf_Pointer_New` function frees the `cursorPixels` memory on failure. Subsequently, the `pointer_free` function calls `xf_Pointer_Free`, which attempts to free the same memory again, triggering an AddressSanitizer (ASan) detected use-after-free (UAF). A malicious server can trigger a client-side use-after-free, causing a crash (Denial of Service) and potentially leading to heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-23883)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a use-after-free vulnerability exists. Specifically, the deletion of an offscreen bitmap leaves the `gdi->drawing` pointer referencing freed memory. When subsequent related update packets are processed, this leads to a use-after-free condition. A malicious server can exploit this vulnerability when a client connects, causing a client-side crash (Denial of Service) and potentially leading to heap corruption. Depending on allocator behavior and heap layout, there is a risk of arbitrary code execution.(CVE-2026-23884)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24491)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24675)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.(CVE-2026-24676)
A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24679)
A malicious server can trigger a client-side heap use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24681)
A malicious server can trigger a client‑side heap buffer over flow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24682)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24683)
A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24684)
This is an out-of-bounds read vulnerability affecting FreeRDP clients. A malicious RDP server can exploit this to:
1. **Information Disclosure**: Read sensitive data from the client's heap memory
2. **Denial of Service**: Cause client crashes through memory access violations
The attack requires user interaction (connecting to a malicious server), but no authentication is needed on the server side.(CVE-2026-25941)
A malicious server can trigger a client-side heap use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-25997)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.(CVE-2026-26271)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.(CVE-2026-26986)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue.(CVE-2026-27015)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-22852 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-22854 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-22855 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-22856 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-22857 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-22859 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23530 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23531 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23532 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23533 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23534 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23732 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23883 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23884 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24491 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24675 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24676 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24679 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24681 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24682 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24683 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24684 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25941 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25997 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26271 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26986 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27015 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026