Heap-based buffer overflow in FreeRDP - #VU137834
Published: July 16, 2026
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in rail_server_handle_messages() in the server-side RAIL channel handling code when processing a crafted RAIL PDU header with an orderLength smaller than the fixed header length. A remote user can send a specially crafted RDP client message to cause a denial of service.
The issue is triggered when a malicious or compromised RDP client can reach the server-side RAIL channel.