FreeRDP, Heap-Buffer-Overflow, CVE-2026-40033 (Critical)

Listen to this Post

The vulnerability resides in the `gdi_CacheToSurface` function of FreeRDP versions before 3.26.0. When an RDP client processes a `CacheToSurface` order from a malicious server, the function attempts to copy cached bitmap data onto a drawing surface. The issue arises from improper validation of rectangle dimensions. The function clamps rectangle coordinates to `UINT16_MAX` (65535) as a safety measure, but the subsequent memory copy operation uses the original, unclamped dimensions from the cache entry. This mismatch allows an attacker-controlled RDP server to specify a cache entry with width or height exceeding the clamped bounds. The copy routine then writes heap memory out of bounds, using the oversized dimensions. Because the heap buffer allocated for the surface is sized based on the clamped coordinates, the unclamped dimensions cause an overflow. The overflow can overwrite adjacent heap metadata or other objects, leading to memory corruption. A remote attacker can achieve arbitrary code execution by carefully structuring the overflow to overwrite a function pointer or C++ vtable. Alternatively, a malformed request can simply crash the client. The vulnerability is reachable without authentication when the client connects to a rogue server. No user interaction beyond initiating an RDP session is required. The root cause is the lack of consistent clamping between geometry validation and memory operations. Fixed in commit that enforces the same `UINT16_MAX` limit on both the rectangle and the cache entry dimensions before copying.

dailycve form:

Platform: FreeRDP
Version: before 3.26.0
Vulnerability: Heap buffer overflow
Severity: Critical
date: 2026-05-26

Prediction: Already patched 3.26.0

What Undercode Say:

Check FreeRDP version
xfreerdp --version | grep "This is FreeRDP version"
Detect vulnerable version (before 3.26.0)
if [[ $(xfreerdp --version | grep -oP 'version \K[0-9.]+' | head -1) < "3.26.0" ]]; then echo "VULNERABLE to CVE-2026-40033"; fi
Example code snippet showing the flaw (pseudocode from reverse engineering)
void gdi_CacheToSurface(rdpContext context, CACHE_TO_SURFACE_ORDER order) {
UINT16 left = clamp(order->rectLeft, 0, UINT16_MAX);
UINT16 top = clamp(order->rectTop, 0, UINT16_MAX);
// BUG: uses order->cacheWidth (unclamped) instead of clamped width
memcpy(surface_buffer + offset, cache_entry->data, order->cacheWidth order->cacheHeight bpp);
}

Exploit:

Send a crafted `CacheToSurface` PDU with `cacheWidth` and `cacheHeight` set to values > 65535 (e.g., 131072) while `rectLeft/rectTop` stay within 0-65535. The client allocates a small surface but copies a huge block, overwriting heap. Use heap spraying to place a return address or vtable pointer after the buffer, then trigger RCE.

Protection from this CVE:

Update to FreeRDP 3.26.0 or later. If unable to patch, block untrusted RDP servers at firewall, disable automatic connection to unknown servers, or run client in a sandboxed environment (e.g., AppContainer, Docker). No workaround besides code fix.

Impact:

Remote code execution or denial-of-service (client crash) via malicious RDP server. Attacker can gain same privileges as the RDP client process, potentially leading to system compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top