CVE-2026-31806

EUVD-2026-12060

13.03.2026, 19:54

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0,  the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Affected Products (NVD)

Vendor	Product	Version
freerdp	freerdp	𝑥 < 3.24.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

freerdp2

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable

freerdp3

forky	3.26.0+dfsg-1 fixed
sid	3.26.0+dfsg-1 fixed
trixie	3.15.0+dfsg-2.1+deb13u3 fixed

openSUSE / SLES Releases

openSUSE Product

Release

freerdp

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

freerdp-devel

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 12 SP5	2.1.2-12.63.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

freerdp-proxy

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

freerdp-proxy-plugins

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

freerdp-sdl

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

freerdp-server

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

freerdp2

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

freerdp2-devel

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

freerdp2-proxy

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

freerdp2-server

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

libfreerdp-server-proxy3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

libfreerdp2-2

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

libfreerdp3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

librdtk0-0

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

libwinpr2-2

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

libwinpr3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

winpr-devel

suse enterprise desktop 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.9.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.9.1 fixed

winpr2-devel

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 12 SP5	2.1.2-12.63.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

freerdp

RHEL 8	2:2.11.7-6.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.10 fixed
RHEL 8.4 AUS	2:2.2.0-12.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.5 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.5 fixed
RHEL 9	2:2.11.7-1.el9_7.5 fixed

freerdp-devel

RHEL 8	2:2.11.7-6.el8_10 fixed
RHEL 9	2:2.11.7-1.el9_7.5 fixed

freerdp-libs

RHEL 8	2:2.11.7-6.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.10 fixed
RHEL 8.4 AUS	2:2.2.0-12.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.5 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.5 fixed
RHEL 9	2:2.11.7-1.el9_7.5 fixed

libwinpr

RHEL 8	2:2.11.7-6.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.10 fixed
RHEL 8.4 AUS	2:2.2.0-12.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.5 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.5 fixed
RHEL 9	2:2.11.7-1.el9_7.5 fixed

libwinpr-devel

RHEL 8	2:2.11.7-6.el8_10 fixed
RHEL 8.2 AUS	2:2.0.0-46.rc4.el8_2.10 fixed
RHEL 8.4 AUS	2:2.2.0-12.el8_4 fixed
RHEL 8.6 AUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 E4S	2:2.2.0-7.el8_6.5 fixed
RHEL 8.6 TUS	2:2.2.0-7.el8_6.5 fixed
RHEL 8.8 E4S	2:2.2.0-12.el8_8.5 fixed
RHEL 8.8 TUS	2:2.2.0-12.el8_8.5 fixed
RHEL 9	2:2.11.7-1.el9_7.5 fixed

Amazon Linux Releases

Amazon Package

Release

freerdp

Amazon Linux 2	2:2.11.7-1.amzn2.0.8 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.7 fixed

freerdp-debuginfo

Amazon Linux 2	2:2.11.7-1.amzn2.0.8 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.7 fixed

freerdp-debugsource

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.7

fixed

freerdp-devel

Amazon Linux 2	2:2.11.7-1.amzn2.0.8 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.7 fixed

freerdp-libs

Amazon Linux 2	2:2.11.7-1.amzn2.0.8 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.7 fixed

freerdp-libs-debuginfo

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.7

fixed

freerdp-server

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.7

fixed

freerdp-server-debuginfo

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.7

fixed

libwinpr

Amazon Linux 2	2:2.11.7-1.amzn2.0.8 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.7 fixed

libwinpr-debuginfo

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.7

fixed

libwinpr-devel

Amazon Linux 2	2:2.11.7-1.amzn2.0.8 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.7 fixed

Known Exploits!

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrqm-46rj-cmx2

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References

https://github.com/FreeRDP/FreeRDP/commit/83d9aedea278a74af3e490ff5eeb889c016dbb2b

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrqm-46rj-cmx2