CVE-2026-40033

Published: May 26, 2026

Modified: May 27, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.

Vendor	Product	Versions
FreeRDP	FreeRDP	affected `0 - < 3.26.0` unaffected `3.26.0`

Weaknesses (CWE)

CWE-122

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

GHSA Advisory GHSA-p6r2-4hgm-m6ff

vendor-advisory

https://github.com/FreeRDP/FreeRDP/commit/23b36cd00ebf0ccd97750fcdbc9aa2f362352da7

patch

VulnCheck Advisory: FreeRDP - Heap-buffer-overflow in gdi_CacheToSurface via rectangle validation bypass

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-40033

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References