CVE-2026-23533 – A heap buffer overflow vulnerability in FreeRDP... (How to Fix)

Q: What is the severity of CVE-2026-23533?

CVE-2026-23533 has a CVSS score of 9.8 (CRITICAL). A heap buffer overflow vulnerability in FreeRDP's ClearCodec decode path allows malicious RDP servers to trigger client-side memory corruption. This can cause denial of service (crash) and potentially remote code execution depending on heap conditions. All FreeRDP clients connecting to untrusted servers are affected.

📋 TL;DR

A heap buffer overflow vulnerability in FreeRDP's ClearCodec decode path allows malicious RDP servers to trigger client-side memory corruption. This can cause denial of service (crash) and potentially remote code execution depending on heap conditions. All FreeRDP clients connecting to untrusted servers are affected.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.21.0

Operating Systems: Linux, Windows, macOS, BSD systems running FreeRDP

Default Config Vulnerable: ⚠️ Yes

Notes: Any FreeRDP client connecting to RDP servers is vulnerable. The vulnerability is in the client-side decoding logic.

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the client system, allowing attacker to gain control of the client machine.

🟠

Likely Case

Client application crash (denial of service) with potential for heap corruption that could lead to information disclosure or further exploitation.

🟢

If Mitigated

Limited to denial of service if exploit fails to achieve code execution due to heap layout or mitigations like ASLR.

🌐 Internet-Facing: HIGH - Clients connecting to internet-facing RDP servers are directly vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal RDP servers could be compromised and used to attack clients, but requires initial internal foothold.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires controlling the RDP server or compromising a legitimate server. The vulnerability is in client-side code triggered by server responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.21.0

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v

Restart Required: Yes

Instructions:

1. Download FreeRDP 3.21.0 or later from official sources. 2. Uninstall previous versions. 3. Install the patched version. 4. Restart any applications using FreeRDP.

🔧 Temporary Workarounds

Disable RDPGFX ClearCodec

all

Disable the vulnerable ClearCodec feature in FreeRDP configuration

Add /gfx:avc420 to FreeRDP connection parameters instead of default /gfx

Network Segmentation

all

Restrict FreeRDP clients to only connect to trusted, internal RDP servers

🧯 If You Can't Patch

Implement strict network controls to only allow FreeRDP connections to trusted, verified RDP servers.
Monitor for crash events in FreeRDP clients and investigate any connections to untrusted servers.

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with 'xfreerdp --version' or equivalent command. Versions below 3.21.0 are vulnerable.

Check Version:

xfreerdp --version 2>&1 | head -1

Verify Fix Applied:

Verify installed version is 3.21.0 or higher using version check command.

📡 Detection & Monitoring

Log Indicators:

FreeRDP client crash logs
Segmentation fault or access violation in FreeRDP process
Unexpected termination of RDP sessions

Network Indicators:

RDP connections to untrusted or unknown servers
Unusual RDP traffic patterns from FreeRDP clients

SIEM Query:

process_name:"freerdp" AND (event_type:"crash" OR exit_code:139 OR exit_code:-1073741819)

📊 Metadata

CVE ID: CVE-2026-23533

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.1% exploit probability (27.9th percentile)

Published: January 19, 2026

Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23533, you might also want to check these: