{"api_version":"1","generated_at":"2026-07-08T23:08:45+00:00","cve":"CVE-2026-26955","urls":{"html":"https://cve.report/CVE-2026-26955","api":"https://cve.report/api/cve/CVE-2026-26955.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26955","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26955"},"summary":{"title":"FreeRDP has Out-of-bounds Write","description":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-02-25 21:16:42","updated_at":"2026-06-30 03:17:51"},"problem_types":["CWE-787","CWE-805","CWE-787 CWE-787: Out-of-bounds Write","CWE-805 Buffer Access with Incorrect Length Value"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:6616","name":"https://access.redhat.com/errata/RHSA-2026:6616","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77","name":"https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6385","name":"https://access.redhat.com/errata/RHSA-2026:6385","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6712","name":"https://access.redhat.com/errata/RHSA-2026:6712","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6665","name":"https://access.redhat.com/errata/RHSA-2026:6665","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:5939","name":"https://access.redhat.com/errata/RHSA-2026:5939","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6005","name":"https://access.redhat.com/errata/RHSA-2026:6005","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6396","name":"https://access.redhat.com/errata/RHSA-2026:6396","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26955.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26955.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:19033","name":"https://access.redhat.com/errata/RHSA-2026:19033","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443132","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2443132","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6395","name":"https://access.redhat.com/errata/RHSA-2026:6395","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6004","name":"https://access.redhat.com/errata/RHSA-2026:6004","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:5936","name":"https://access.redhat.com/errata/RHSA-2026:5936","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-26955","name":"https://access.redhat.com/security/cve/CVE-2026-26955","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj","name":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj","refsource":"security-advisories@github.com","tags":["Exploit","Mitigation","Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6384","name":"https://access.redhat.com/errata/RHSA-2026:6384","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:7292","name":"https://access.redhat.com/errata/RHSA-2026:7292","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:6764","name":"https://access.redhat.com/errata/RHSA-2026:6764","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26955","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26955","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"FreeRDP","product":"FreeRDP","version":"affected < 3.23.0","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux Server (v. 7 ELS)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux Server Optional (v. 7 ELS)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream (v. 10)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream (v. 8)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream AUS (v. 8.2)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream AUS (v.8.4)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream AUS (v.8.6)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream E4S (v.8.6)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream TUS (v.8.6)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream E4S (v.8.8)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream TUS (v.8.8)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream E4S (v.9.0)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream E4S (v.9.2)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream EUS (v.9.4)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream (v. 9)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux CRB (v. 8)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat CodeReady Linux Builder EUS (v.9.4)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat CodeReady Linux Builder EUS (v.9.6)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-02-26T21:03:46.682Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-25T20:47:14.660Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:7292: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:5936: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:5939: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:19033: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6005: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6712: Red Hat Enterprise Linux AppStream AUS (v. 8.2)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6616: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6665: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6764: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6395: Red Hat Enterprise Linux AppStream E4S (v.9.0)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6396: Red Hat Enterprise Linux AppStream E4S (v.9.2)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6384: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6385: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:6004: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"To mitigate this issue, avoid connecting to untrusted or unverified RDP servers. Users should only establish RDP connections with known and trusted servers. If connecting to untrusted servers is unavoidable, consider using a sandbox environment or a dedicated, isolated system for such connections to limit potential impact.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"26955","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"freerdp","cpe5":"freerdp","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"26955","cve":"CVE-2026-26955","epss":"0.005370000","percentile":"0.412480000","score_date":"2026-07-02","updated_at":"2026-07-03 00:06:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-26955","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-02-26T20:30:12.659110Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-26T20:30:46.008Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/o:redhat:rhel_els:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Server (v. 7 ELS)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:rhel_els:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Server Optional (v. 7 ELS)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.1","cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_aus:8.2::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream AUS (v. 8.2)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_aus:8.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream AUS (v.8.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_aus:8.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream AUS (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:8.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_tus:8.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream TUS (v.8.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:8.8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.8.8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_tus:8.8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream TUS (v.8.8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.0::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.0)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.2::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.2)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.1","cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CRB (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.4::crb"],"defaultStatus":"affected","product":"Red Hat CodeReady Linux Builder EUS (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::crb"],"defaultStatus":"affected","product":"Red Hat CodeReady Linux Builder EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"}],"datePublic":"2026-02-25T20:47:14.660Z","descriptions":[{"lang":"en","value":"A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). A malicious RDP server can exploit a heap buffer overflow vulnerability by sending a specially crafted graphics command to a FreeRDP client. This allows the server to write data outside of its intended memory region, potentially leading to arbitrary code execution on the client system. The vulnerability occurs because the client does not properly validate the dimensions of incoming graphics commands."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-805","description":"Buffer Access with Incorrect Length Value","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:45:32.614Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-26955"},{"name":"RHBZ#2443132","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443132"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26955.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7292"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5936"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5939"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19033"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6005"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6712"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6616"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6665"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6764"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6395"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6396"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6384"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6385"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6004"}],"solutions":[{"lang":"en","value":"RHSA-2026:7292: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"},{"lang":"en","value":"RHSA-2026:5936: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:5939: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:19033: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:6005: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"},{"lang":"en","value":"RHSA-2026:6712: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"},{"lang":"en","value":"RHSA-2026:6616: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"},{"lang":"en","value":"RHSA-2026:6665: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"},{"lang":"en","value":"RHSA-2026:6764: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"},{"lang":"en","value":"RHSA-2026:6395: Red Hat Enterprise Linux AppStream E4S (v.9.0)"},{"lang":"en","value":"RHSA-2026:6396: Red Hat Enterprise Linux AppStream E4S (v.9.2)"},{"lang":"en","value":"RHSA-2026:6384: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"},{"lang":"en","value":"RHSA-2026:6385: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"},{"lang":"en","value":"RHSA-2026:6004: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"}],"timeline":[{"lang":"en","time":"2026-02-26T21:03:46.682Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-25T20:47:14.660Z","value":"Made public."}],"title":"freerdp: FreeRDP: Arbitrary code execution via heap buffer overflow in GDI surface pipeline","workarounds":[{"lang":"en","value":"To mitigate this issue, avoid connecting to untrusted or unverified RDP servers. Users should only establish RDP connections with known and trusted servers. If connecting to untrusted servers is unavoidable, consider using a sandbox environment or a dedicated, isolated system for such connections to limit potential impact."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"FreeRDP","vendor":"FreeRDP","versions":[{"status":"affected","version":"< 3.23.0"}]}],"descriptions":[{"lang":"en","value":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"CWE-787: Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-25T20:47:14.660Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj","tags":["x_refsource_CONFIRM"],"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj"},{"name":"https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77","tags":["x_refsource_MISC"],"url":"https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77"}],"source":{"advisory":"GHSA-mr6w-ch7c-mqqj","discovery":"UNKNOWN"},"title":"FreeRDP has Out-of-bounds Write"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-26955","datePublished":"2026-02-25T20:47:14.660Z","dateReserved":"2026-02-16T22:20:28.611Z","dateUpdated":"2026-06-30T02:45:32.614Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-25 21:16:42","lastModifiedDate":"2026-06-30 03:17:51","problem_types":["CWE-787","CWE-805","CWE-787 CWE-787: Out-of-bounds Write","CWE-805 Buffer Access with Incorrect Length Value"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-26T20:30:12.659110Z","id":"CVE-2026-26955","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.23.0","matchCriteriaId":"31715854-6D23-4207-AB69-27707C7B2D42"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26955","Ordinal":"1","Title":"FreeRDP has Out-of-bounds Write","CVE":"CVE-2026-26955","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26955","Ordinal":"1","NoteData":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.","Type":"Description","Title":"FreeRDP has Out-of-bounds Write"}]}}}