CVE-2026-26955
Published: 25 February 2026
Summary
CVE-2026-26955 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation ensures FreeRDP clients are patched to version 3.23.0, directly preventing the heap buffer overflow from unvalidated RDPGFX ClearCodec commands.
Information input validation enforces bounds checking on RDP surface command rectangles against surface dimensions, blocking the out-of-bounds write in gdi_SurfaceCommand_ClearCodec().
Memory protection mechanisms like non-executable heap and ASLR mitigate exploitation of the heap overflow leading to codecs pointer corruption and RIP control.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a client-side heap buffer overflow in FreeRDP's RDP protocol handler (ClearCodec surface command) that a malicious server can trigger to achieve arbitrary code execution (RIP control) upon connection. This directly maps to T1203 Exploitation for Client Execution, where adversaries exploit software vulnerabilities in client applications. No other techniques are directly enabled by the vulnerability itself.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface…
more
command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Deeper analysisAI
CVE-2026-26955 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting client versions prior to 3.23.0. The issue resides in the GDI surface pipeline, such as in the `xfreerdp` client, where a malicious RDP server can send an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler fails to validate the command rectangle against the destination surface dimensions using `is_within_surface()`, allowing attacker-controlled `cmd->left`/`cmd->top` values and subcodec offsets to propagate to image copy routines that write into `surface->data` without bounds checks.
A remote attacker can exploit this vulnerability by operating a malicious RDP server that FreeRDP clients connect to, requiring user interaction such as initiating the connection (UI:R). Successful exploitation leads to an out-of-bounds write that corrupts an adjacent `gdiGfxSurface` structure's `codecs*` pointer with attacker-controlled data. This corruption enables an indirect function pointer call, such as `NSC_CONTEXT.decode` in `nsc.c:500`, granting full instruction pointer (RIP) control as demonstrated in an exploitability harness. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high confidentiality, integrity, and availability impacts.
The FreeRDP security advisory (GHSA-mr6w-ch7c-mqqj) and corresponding patch commit recommend upgrading to version 3.23.0, which adds the necessary bounds validation in the ClearCodec handler to prevent the out-of-bounds write. This CWE-787 (Out-of-bounds Write) issue has no reported real-world exploitation at the time of publication.
Details
- CWE(s)