CVE-2026-26271

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in freerdp_image_copy_from_icon_data() (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TSICONINFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-126"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26271.json"
}

References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type

GIT

Repo

https://github.com/freerdp/freerdp

Events

Introduced

Fixed

b933ae18d9ad2a1d73c610868fcc30eb61654070

Fixed

f5e20403d6e325e11b68129803f967fb5aeec1cb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.23.0"
        }
    ]
}

Affected versions

1.*

1.0-beta1

1.0-beta2

1.0-beta4

1.0-beta5

1.0.0

1.0.1

1.1.0-beta+2013071101

1.1.0-beta1

1.1.0-beta1+android2

1.1.0-beta1+android3

1.1.0-beta1+android4

1.1.0-beta1+android5

1.1.0-beta1+ios1

1.1.0-beta1+ios2

1.1.0-beta1+ios3

1.1.0-beta1+ios4

1.2.0-beta1+android7

1.2.0-beta1+android9

2.*

2.0.0

2.0.0-beta1+android10

2.0.0-beta1+android11

2.0.0-rc0

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

3.*

3.0.0

3.0.0-beta1

3.0.0-beta2

3.0.0-beta3

3.0.0-beta4

3.0.0-rc0

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-26271.json"

vanir_signatures_modified

"2026-04-14T14:45:04Z"

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2026-26271-3fec28e8",
        "source": "https://github.com/freerdp/freerdp/commit/f5e20403d6e325e11b68129803f967fb5aeec1cb",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "171928126880497592269955548143630854894",
                "35076541736833197168015039985545021135",
                "87338193560135429585301245485094934007",
                "230402938174537687929010848484726732497",
                "65467335349324277906703701622623456956",
                "263499239447972342965997973323544743620",
                "154805799600937538250575270881350114780",
                "274109789061407310442623642489492918700",
                "47369612065068981575944382397753215871",
                "217987582687838621959814116960592694070",
                "188603317269926135434721419127370835321",
                "197664404593065227473177525281224445535",
                "311328177234615159638573571189076152178",
                "182634005840461306504649238352420714988",
                "138130048466308048226773404555220991679",
                "117915952367021218336566238782359127586",
                "327352372703365482435323404258943897603",
                "217925211591772432980202627173821286816",
                "328912043882708913592769160507500860638",
                "122129378023919170662835236389715682939",
                "339164056393870514728411877465575053534",
                "320245763337605652386692722877551780417",
                "8542507803250024192358444788866020077",
                "115200983613392372111638217137499955168",
                "318395049425471231536714561344615078077",
                "38788492049031638892298819064094243148",
                "202420649078473970423957398800182293852",
                "243145681381479291907455779461876026421",
                "296173760482540611936917600532367093645",
                "130251164229524017292272260253746959577",
                "139874812486814514407542519557409398443"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "libfreerdp/codec/color.c"
        },
        "signature_version": "v1"
    }
]