Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 25, 2026

FreeRDP has possible Integer overflow in Stream_EnsureCapacity

CVE-2026-27951

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function Stream_EnsureCapacity can create an endless blocking loop. This may affect all client and server implementations using FreeRDP. For practical exploitation this will only work on 32bit systems where the available physical memory is >= SIZE_MAX. Version 3.23.0 contains a patch. No known workarounds are available.

Affected products

Freerdp/Freerdpv5
Range: < 3.23.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FreeRDP/FreeRDP/commit/118afc0b954ba9d5632b7836ad24e454555ed113mitrex_refsource_MISC
github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcfc-ghxr-h927mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000