CVE-2026-44421 HIGH

CVE-2026-44421: FreeRDP RDPGFX CacheToSurface heap-buffer-overflow via clamped-rectangle validation bypass

Vendor Freerdp
Product FreeRDP
Weakness CWE-122
Published May 29, 2026
Last update June 30, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
June 30, 2026 Record updated