FreeRDP - Heap-buffer-overflow in gdi_CacheToSurface via rectangle validation bypass | Advisories

Advisories

FreeRDP - Heap-buffer-overflow in gdi_CacheToSurface via rectangle validation bypass

severity: high
date: 5/26/2026
Affecting: FreeRDP < 3.26.0
CVE: CVE-2026-40033
CWE: CWE-122 Heap-based Buffer Overflow
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-p6r2-4hgm-m6ff
https://github.com/FreeRDP/FreeRDP/commit/23b36cd00ebf0ccd97750fcdbc9aa2f362352da7
Credit: kevin-valerio
Description: FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo