Login Sign Up

CVE-2026-23531

9.8 CRITICAL
Denial of Service

📋 TL;DR

This CVE describes a heap buffer overflow vulnerability in FreeRDP's ClearCodec implementation. A malicious RDP server can send crafted RDPGFX surface updates to trigger out-of-bounds read/write operations, potentially leading to denial of service, heap corruption, or remote code execution on the client. All FreeRDP clients prior to version 3.21.0 are affected when connecting to untrusted servers.

💻 Affected Systems

Products:
  • FreeRDP
Versions: All versions prior to 3.21.0
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is client-side and requires connecting to a malicious RDP server. Any application using FreeRDP library is affected.

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the client system, allowing an attacker to gain full control of the affected machine when connecting to a malicious server.

🟠

Likely Case

Client crash (denial of service) and potential heap corruption that could lead to information disclosure or further exploitation depending on heap layout.

🟢

If Mitigated

No impact if patched version is used or if connections are restricted to trusted servers only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires the client to connect to a malicious server. The vulnerability is in the client-side decoding logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.21.0

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5

Restart Required: Yes

Instructions:

1. Download FreeRDP 3.21.0 or later from official sources. 2. Uninstall previous versions. 3. Install the new version. 4. Restart any applications using FreeRDP.

🔧 Temporary Workarounds

Restrict RDP Connections

all

Only allow FreeRDP connections to trusted, internal servers

Network Segmentation

all

Isolate FreeRDP clients from untrusted networks

🧯 If You Can't Patch

  • Implement strict network controls to only allow FreeRDP connections to trusted, verified servers
  • Monitor for abnormal RDP connection attempts and client crashes

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with 'xfreerdp --version' or equivalent command for your platform

Check Version:

xfreerdp --version

Verify Fix Applied:

Verify installed version is 3.21.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • FreeRDP client crashes
  • Abnormal termination of RDP sessions
  • Heap corruption errors in system logs

Network Indicators:

  • RDP connections to unknown/untrusted servers
  • Unusual RDPGFX protocol traffic patterns

SIEM Query:

source="*freerdp*" AND (event="crash" OR event="segfault" OR event="heap corruption")

📊 Metadata

CVE ID: CVE-2026-23531
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-122
EPSS Score: 0.09% exploit probability (25.3th percentile)
Published: January 19, 2026
Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23531, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)