Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-23532

created 2 months, 4 weeks ago

FreeRDP has heap-buffer-overflow in gdi_SurfaceToSurface

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-25.11 3.17.2
- nixpkgs-25.11-darwin 3.17.2

pkgs.freerdpUnstable

Remote Desktop Protocol Client

nixos-unstable 3.16.0
- nixpkgs-unstable 3.16.0
- nixos-unstable-small 3.16.0

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>