CVE-2026-23530 – FreeRDP clients prior to version 3.21.0 contain... (How to Fix)

Q: What is the severity of CVE-2026-23530?

CVE-2026-23530 has a CVSS score of 9.8 (CRITICAL). FreeRDP clients prior to version 3.21.0 contain a heap buffer overflow vulnerability in the planar bitmap decompression function. A malicious RDP server can exploit this to crash the client (DoS) or potentially execute arbitrary code on the client system. This affects all FreeRDP client users connecting to untrusted RDP servers.

📋 TL;DR

FreeRDP clients prior to version 3.21.0 contain a heap buffer overflow vulnerability in the planar bitmap decompression function. A malicious RDP server can exploit this to crash the client (DoS) or potentially execute arbitrary code on the client system. This affects all FreeRDP client users connecting to untrusted RDP servers.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.21.0

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: All FreeRDP client configurations using planar bitmap compression are affected. The vulnerability is triggered during RDP session establishment when receiving malicious bitmap data.

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the client system, allowing full compromise of the client machine.

🟠

Likely Case

Client crash (denial of service) with potential heap corruption that could lead to code execution depending on memory allocator and heap layout.

🟢

If Mitigated

No impact if patched version is used or if clients only connect to trusted servers.

🌐 Internet-Facing: HIGH - Clients connecting to internet-facing RDP servers are directly exposed to malicious servers.

🏢 Internal Only: MEDIUM - Risk exists if internal servers are compromised or if users connect to untrusted internal servers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the client to connect to a malicious server. No authentication is needed as the vulnerability is triggered during normal RDP protocol handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.21.0

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p

Restart Required: Yes

Instructions:

1. Download FreeRDP 3.21.0 or later from the official repository. 2. Uninstall the old version. 3. Install the new version. 4. Restart any applications using FreeRDP.

🔧 Temporary Workarounds

Disable planar compression

all

Configure FreeRDP to disable planar bitmap compression which triggers the vulnerable code path

xfreerdp /compression-level:0

Network segmentation

all

Restrict FreeRDP clients to only connect to trusted RDP servers using firewall rules

🧯 If You Can't Patch

Only allow FreeRDP connections to trusted, verified RDP servers
Implement network monitoring for abnormal RDP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with: xfreerdp --version or freerdp --version

Check Version:

xfreerdp --version 2>/dev/null || freerdp --version 2>/dev/null

Verify Fix Applied:

Verify version is 3.21.0 or higher: xfreerdp --version | grep -q '3.21.0' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

FreeRDP client crashes with segmentation faults
Abnormal termination of RDP sessions

Network Indicators:

RDP connections to unknown/untrusted servers
Unusual RDP traffic patterns

SIEM Query:

process_name:"xfreerdp" OR process_name:"freerdp" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2026-23530

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.1% exploit probability (27.9th percentile)

Published: January 19, 2026

Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23530, you might also want to check these: