FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Security readout for executives and security teams
Plain-English summary
FreeRDP clients before 3.23.0 can be compromised when a user connects to a malicious or compromised RDP server. The flaw is in client-side graphics handling and can corrupt memory, potentially allowing code execution on the client system. No provided source shows active exploitation.
Executive priority
Treat as high priority for environments using FreeRDP clients, especially privileged admin workstations. It is not presented as actively exploited in the supplied sources, but the potential impact is severe enough to patch promptly.
Technical view
The issue is an out-of-bounds heap write in the GDI surface pipeline. The ClearCodec surface handler fails to validate destination rectangles against surface bounds, allowing memory corruption. The advisory states corruption can reach an indirect codec function pointer call, with instruction pointer control demonstrated in a harness.
Likely exposure
Exposure is most likely on desktops, jump boxes, admin workstations, or automation hosts running FreeRDP clients such as xfreerdp before 3.23.0, especially where users connect to third-party, untrusted, or potentially compromised RDP servers.
Exploitation context
Attack requires a FreeRDP client to connect to a malicious RDP server. The CVSS vector is network, low complexity, no privileges, and user interaction required. KEV is false, and the provided sources do not establish real-world exploitation.
Researcher notes
The strongest evidence comes from the FreeRDP advisory and patch reference. The source bundle describes exploitability harness results, but does not provide evidence of public exploitation. Product-specific remediation should be confirmed through FreeRDP or distribution advisories.
Mitigation direction
Upgrade FreeRDP to version 3.23.0 or later.
Apply relevant Red Hat errata packages where Red Hat builds are used.
Restrict FreeRDP use to trusted RDP servers until patched.
Review vendor advisories for distribution-specific fixed package versions.
Prioritize admin workstations and jump hosts using FreeRDP clients.
Validation and detection
Inventory installed FreeRDP and xfreerdp versions across endpoints.
Confirm clients report FreeRDP 3.23.0 or a vendor-fixed build.
Check whether GDI-based FreeRDP clients are used in workflows.
Review RDP connection destinations for untrusted or unusual servers.
Verify Red Hat systems have applicable RHSA updates installed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-787: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
20Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-787 · source CWE mapping
Out-of-bounds Write
Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Buffer Access with Incorrect Length Value represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.