{ "threat_severity" : "Important", "public_date" : "2026-01-19T17:09:55Z", "bugzilla" : { "description" : "freerdp: FreeRDP: Arbitrary code execution and denial of service via client-side heap buffer overflow", "id" : "2430888", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2430888" }, "cvss3" : { "cvss3_base_score" : "7.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-122", "details" : [ "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.", "A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol. A malicious server can trigger a client-side heap buffer overflow in the ClearCodec bands decode path. This vulnerability, caused by crafted band coordinates, allows writes past the end of the destination surface buffer. Successful exploitation can lead to a crash, resulting in a denial of service (DoS), and potentially arbitrary code execution." ], "statement" : "For this vulnerability to be exploited, a client must connect to a maliciously-configured server. Red Hat recommends that FreeRDP clients are only used to connect to trusted servers.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2222", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "freerdp-2:3.10.3-5.el10_1.1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-18T00:00:00Z", "advisory" : "RHSA-2026:2952", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "freerdp-2:3.10.3-3.el10_0.1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:2081", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "freerdp-2:2.11.7-2.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:2048", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "freerdp-2:2.11.7-1.el9_7.1" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2736", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "freerdp-2:2.11.2-1.el9_4.1" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3037", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "freerdp-2:2.11.7-1.el9_6.1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "freerdp", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "freerdp", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23534\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23534\nhttps://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879\nhttps://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884\nhttps://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0\nhttps://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599" ], "name" : "CVE-2026-23534", "csaw" : false }