{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-17T20:45:36.841","vulnerabilities":[{"cve":{"id":"CVE-2026-26955","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T21:16:42.863","lastModified":"2026-02-27T14:50:07.533","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch."},{"lang":"es","value":"FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.23.0, un servidor RDP malicioso puede desencadenar un desbordamiento de búfer de montón en clientes FreeRDP que utilizan la tubería de superficie GDI (por ejemplo, 'xfreerdp') enviando un comando de superficie RDPGFX ClearCodec con un rectángulo de destino fuera de límites. El gestor 'gdi_SurfaceCommand_ClearCodec()' no llama a 'is_within_surface()' para validar el rectángulo del comando contra las dimensiones de la superficie de destino, permitiendo que 'cmd->left'/'cmd->top' (y los desplazamientos del rectángulo del subcódec) controlados por el atacante alcancen rutinas de copia de imagen que escriben en 'surface->data' sin aplicación de límites. La escritura OOB corrompe el puntero 'codecs*' de una estructura 'gdiGfxSurface' adyacente con datos de píxeles controlados por el atacante, y la corrupción de 'codecs*' es suficiente para alcanzar una llamada a puntero de función indirecta ('NSC_CONTEXT.decode' en 'nsc.c:500') en un comando de códec subsiguiente — control total del puntero de instrucción (RIP) demostrado en el arnés de explotabilidad. Los usuarios deben actualizar a la versión 3.23.0 para recibir un parche."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.23.0","matchCriteriaId":"31715854-6D23-4207-AB69-27707C7B2D42"}]}]}],"references":[{"url":"https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Patch","Vendor Advisory"]}]}}]}