Bug 2430891 (CVE-2026-23532)

Summary: CVE-2026-23532 freerdp: FreeRDP: Denial of Service and potential code execution via client-side heap buffer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FreeRDP. A malicious server can exploit a client-side heap buffer overflow vulnerability in the `gdi_SurfaceToSurface` path. This vulnerability, caused by a mismatch in memory handling, can lead to a crash (Denial of Service) of the client application. Furthermore, it carries a risk of heap corruption, which could potentially enable arbitrary code execution on the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2430894, 2430895, 2430896, 2430898, 2430897    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-19 18:02:38 UTC 
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the  FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.