CVE-2026-26965
Heap Out-of-Bounds Write in FreeRDP RLE Planar Decoder
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26965 is a vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. Before version 3.23.0, the function planar_decompress_plane_rle() in the RLE planar decode path writes data into a destination buffer without properly verifying that the write fits within the buffer's boundaries. Specifically, it does not check if the vertical and horizontal dimensions of the write exceed the destination height or stride.
When the temporary format differs from the destination format, the destination buffer becomes a temporary buffer sized for the desktop, but the vertical coordinate is only validated against the surface size, not the temporary buffer size. This allows a malicious RDP server to exploit the vulnerability to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client.
The out-of-bounds write can reach up to 132,096 bytes past the end of the temporary buffer and can overwrite adjacent memory structures, including function pointers. This can lead to control-flow corruption, allowing an attacker to execute arbitrary code. The vulnerability was fixed in FreeRDP version 3.23.0 by adding strict bounds checks before decompression.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on users of vulnerable FreeRDP clients. A malicious RDP server can exploit the heap out-of-bounds write to corrupt memory, including overwriting function pointers, which can lead to arbitrary code execution on the client machine.
Such exploitation can compromise the security and integrity of the client system, potentially allowing attackers to gain control, steal sensitive information, or disrupt services.
Because the vulnerability can be triggered remotely without privileges and requires only user interaction (connecting to a malicious RDP server), it poses a high risk to users who connect to untrusted or compromised RDP servers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap out-of-bounds write in FreeRDP clients prior to version 3.23.0 when connecting to a malicious RDP server. Detection can focus on identifying vulnerable FreeRDP client versions or monitoring for anomalous behavior related to RDP sessions.
- Check the installed FreeRDP version on your system to see if it is older than 3.23.0.
- Use commands like `freerdp --version` or `dpkg -l | grep freerdp` (on Debian-based systems) to determine the installed version.
- Monitor network traffic for suspicious RDP connections, especially from untrusted servers.
- Look for error logs or crashes related to planar codec decompression in FreeRDP logs, which might indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability has been fixed by adding strict bounds checks in the planar codec decompression function.
- Update FreeRDP to version 3.23.0 or newer.
- If immediate upgrade is not possible, restrict connections to trusted RDP servers only to reduce exposure.
- Monitor FreeRDP client logs for errors related to planar decompression which might indicate exploitation attempts.