Heap Buffer Overflow in FreeRDP Remote Desktop Client from FreeRDP
CVE-2026-23530

7.7HIGH

Key Information:

Vendor

Freerdp

Status
Freerdp
Vendor
CVE Published:
19 January 2026

What is CVE-2026-23530?

A vulnerability exists in FreeRDP, a free and open-source implementation of Microsoft's Remote Desktop Protocol. Specifically, the issue arises in the freerdp_bitmap_decompress_planar function, which fails to validate source width and height parameters against the maximum allowed dimensions before performing RLE decoding. As a result, an attacker could exploit this flaw by sending specially crafted data from a malicious server, leading to a client-side heap buffer overflow. This could potentially cause application crashes and might open up avenues for code execution depending on the behavior of the memory allocator and the surrounding heap layout. The vulnerability is addressed in version 3.21.0 and users are urged to upgrade.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

FreeRDP < 3.21.0

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945...
x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.