CVE-2026-40033HIGH 8.8EPSS p47.0%

CVE-2026-40033CVE-2026-40033

Description

FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.67% probability of exploitation · percentile 47.0% · 2026-06-19T12:03:05Z
Published2026-05-26
Last modified2026-05-26

Underlying weaknesses· 1

CWE-122

References

  1. https://github.com/FreeRDP/FreeRDP/commit/23b36cd00ebf0ccd97750fcdbc9aa2f362352da7
  2. https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff
  3. https://www.vulncheck.com/advisories/freerdp-heap-buffer-overflow-in-gdi-cachetosurface-via-rectangle-validation-bypass
  4. https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff

1

TypeTargetConfidenceTier
WeaknessHeap-based Buffer Overflowcwe-1220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23532
CVE
CVE-2026-44421
CVE
CVE-2026-23531
CVE
CVE-2026-23533
CVE
CVE-2026-23530
CVE
CVE-2026-23534
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.