CVE-2026-26965
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, planar_decompress_plane_rle() writes into pDstData at ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel without verifying that (nYDst+nSrcHeight) fits in the destination height or that (nXDst+nSrcWidth) fits in the destination stride. When TempFormat != DstFormat, pDstData becomes planar->pTempData (sized for the desktop), while nYDst is only validated against the surface by is_within_surface(). A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent NSC_CONTEXT struct's decode function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (nsc->decode = 0xFF414141FF414141). Version 3.23.0 fixes the vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FreeRDP | FreeRDP | < 3.23.0 | affected |
Weaknesses
- CWE-787: CWE-787: Out-of-bounds Write
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
freerdp: FreeRDP: Arbitrary code execution via heap out-of-bounds write in RLE planar decode path
Additional References
- https://access.redhat.com/security/cve/CVE-2026-26965
- https://bugzilla.redhat.com/show_bug.cgi?id=2442959
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26965.json
- https://access.redhat.com/errata/RHSA-2026:7292
- https://access.redhat.com/errata/RHSA-2026:5936
- https://access.redhat.com/errata/RHSA-2026:5939
- https://access.redhat.com/errata/RHSA-2026:19033
- https://access.redhat.com/errata/RHSA-2026:6005
- https://access.redhat.com/errata/RHSA-2026:6712
- https://access.redhat.com/errata/RHSA-2026:6616
- https://access.redhat.com/errata/RHSA-2026:6665
- https://access.redhat.com/errata/RHSA-2026:6764
- https://access.redhat.com/errata/RHSA-2026:6395
- https://access.redhat.com/errata/RHSA-2026:6396
- https://access.redhat.com/errata/RHSA-2026:6384
- https://access.redhat.com/errata/RHSA-2026:6385
- https://access.redhat.com/errata/RHSA-2026:6004
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h
- https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.