Marc-Andre Moreau

57 exploits Active since Aug 2023
CVE-2026-23531 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.21.0 - Heap-based Buffer Overflow via RDPGFX Surface Updates
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS 9.8
CVE-2026-23532 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.21.0 - Heap-based Buffer Overflow in gdi_SurfaceToSurface
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS 9.8
CVE-2026-23533 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.21.0 - Heap-based Buffer Overflow in RDPGFX ClearCodec Decode Path
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS 9.8
CVE-2026-23534 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.21.0 - Heap-based Buffer Overflow in ClearCodec Bands Decode Path
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS 9.8
CVE-2026-23732 WRITEUP HIGH WRITEUP
FreeRDP < 3.21.0 - Heap-based Buffer Overflow via FastGlyph Parsing
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
CVSS 7.5
CVE-2026-23883 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.21.0 - Use-After-Free in xf_Pointer_New
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS 9.8
CVE-2026-23884 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.21.0 - Use-After-Free in Offscreen Bitmap Deletion
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS 9.8