Home / Vulnerability Intelligence / CVE-2026-26955

CVE-2026-26955 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

FreeRDP - Remote Code Execution

Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

FreeRDP < 3.23.0 contains a heap buffer overflow caused by missing bounds validation in the GDI surface pipeline ClearCodec command, letting malicious RDP servers execute arbitrary code remotely, exploit requires connection to a malicious server.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.2%(Probability of exploitation in next 30 days)

Impact

Malicious RDP servers can execute arbitrary code on FreeRDP clients, potentially leading to full system compromise.

Mitigation

Upgrade to version 3.23.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-26955 - High (8.8) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCode... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26955/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26955
Severity: High
CVSS Score: 8.8
Type: buffer_overflow
Status: confirmed
EPSS: 4.2%
Social Posts: 1

CWE

CWE-787

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

4.2%Probability of exploitation in the next 30 days