CVE-2026-26955 – A heap buffer overflow vulnerability in FreeRDP... (How to Fix)

Q: What is the severity of CVE-2026-26955?

CVE-2026-26955 has a CVSS score of 8.8 (HIGH). A heap buffer overflow vulnerability in FreeRDP clients allows a malicious RDP server to execute arbitrary code on connecting clients. Attackers controlling an RDP server can exploit this to gain full control of client systems. All FreeRDP clients using the GDI surface pipeline (like xfreerdp) prior to version 3.23.0 are affected.

📋 TL;DR

A heap buffer overflow vulnerability in FreeRDP clients allows a malicious RDP server to execute arbitrary code on connecting clients. Attackers controlling an RDP server can exploit this to gain full control of client systems. All FreeRDP clients using the GDI surface pipeline (like xfreerdp) prior to version 3.23.0 are affected.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.23.0

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects clients using GDI surface pipeline (e.g., xfreerdp). Server implementations are not affected.

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with system compromise, allowing attackers to install malware, steal credentials, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to complete client system compromise when connecting to malicious RDP servers.

🟢

If Mitigated

Denial of service or application crash if exploit fails or is blocked by security controls.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit requires client to connect to malicious server. Proof-of-concept exists in security advisory but not publicly released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.23.0

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj

Restart Required: Yes

Instructions:

1. Upgrade FreeRDP to version 3.23.0 or later. 2. For package managers: Use your distribution's update command (apt update && apt upgrade freerdp2, yum update freerdp, etc.). 3. For source builds: Download latest release from GitHub and rebuild. 4. Restart any FreeRDP client applications.

🔧 Temporary Workarounds

Disable GDI surface pipeline

all

Run FreeRDP with GDI surface pipeline disabled to avoid vulnerable code path

xfreerdp /gdi:sw

Network segmentation

all

Restrict RDP connections to trusted servers only using firewall rules

🧯 If You Can't Patch

Restrict RDP connections to trusted, verified servers only
Implement network monitoring for anomalous RDP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version: xfreerdp --version. If version is below 3.23.0, system is vulnerable.

Check Version:

xfreerdp --version

Verify Fix Applied:

After upgrade, verify version is 3.23.0 or higher: xfreerdp --version | grep -E '3\.23\.[0-9]+|^3\.[2-9][4-9]|^[4-9]\.[0-9]+'

📡 Detection & Monitoring

Log Indicators:

FreeRDP crash logs
Application errors mentioning heap corruption or buffer overflow
Unexpected process termination of xfreerdp

Network Indicators:

RDP connections to untrusted or unknown servers
Anomalous RDPGFX protocol traffic patterns

SIEM Query:

process.name:"xfreerdp" AND event.action:"crashed" OR network.protocol:"rdp" AND network.destination.ip NOT IN [trusted_server_ips]

📊 Metadata

CVE ID: CVE-2026-26955

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77 Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj Exploit,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26955, you might also want to check these: