Logo
vulnerabilityCVE-2026-26271
Name
CVE-2026-26271
Source
NVD ( link)Debian ( link)
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.
CWEs
CWE-126
Published Date
Updated Date
Workaround
-
Advisories
https://github.com/FreeRDP/FreeRDP/commit/f5e20403d6e325e11b68129803f967fb5aeec1cbPatch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hr4m-ph4g-48j6Patch

Analysis#

Affected Component
Analysis
freerdp
Exploitable

Vulnerability Ratings#

5.5
CVSSv4
5.3
CVSSv31
NaN
other

Others affected components#

Name
Project
Project Version
Version
Status
freerdp
buildroot
2025.02.x
2.11.8
Exploitable
freerdp
yocto
kirkstone
2.6.1
Exploitable
freerdp
yocto
master
2.11.8
Exploitable
freerdp3
yocto
master
3.26.0
Not Affected
freerdp
yocto
scarthgap
2.11.8
Exploitable
freerdp3
yocto
scarthgap
3.4.0
Exploitable