CVE-2026-23533
Published: 19 January 2026
Summary
CVE-2026-23533 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the heap buffer overflow in FreeRDP's RDPGFX ClearCodec decode path by upgrading to version 3.21.0 or later.
Mandates validation of RDPGFX ClearCodec residual data inputs to prevent out-of-bounds writes from malicious server data.
Implements memory protections like ASLR and DEP to mitigate heap corruption and potential code execution from the buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a client-side heap buffer overflow in FreeRDP (RDP client) exploitable by a malicious RDP server upon connection, enabling arbitrary code execution which directly maps to Exploitation for Client Execution (T1203).
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server…
more
can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Deeper analysisAI
CVE-2026-23533 is a client-side heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.21.0. The issue resides in the RDPGFX ClearCodec decode path, where maliciously crafted residual data triggers out-of-bounds writes during color output processing. Classified under CWE-122 (Heap-based Buffer Overflow), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.
A malicious RDP server can exploit this vulnerability against any client using a vulnerable FreeRDP version that connects to it. No special privileges or user interaction beyond initiating the connection are required. Successful exploitation causes a client-side heap buffer overflow, reliably leading to a denial-of-service crash, with potential for heap corruption and arbitrary code execution depending on the memory allocator's behavior and surrounding heap layout.
The FreeRDP project addressed this in version 3.21.0, which includes a patch for the ClearCodec decode path. Security practitioners should upgrade to FreeRDP 3.21.0 or later. Detailed information is available in the project's security advisory (GHSA-32q9-m5qr-9j2v) and release notes, with code changes visible in the clear.c source file around lines 268-281 and 336.
Details
- CWE(s)