CVE-2026-29774
Received Received - Intake
Heap Buffer Overflow in FreeRDP AVC420 YUV-to-RGB Conversion

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29774
EUVD
EUVD-2026-12055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29774 is a heap buffer overflow vulnerability in FreeRDP versions prior to 3.24.0, occurring in the client-side AVC420/AVC444 YUV-to-RGB conversion process. The issue arises because the clamp() function only validates the top and bottom coordinates of H.264 metablock regionRects against the surface height but does not validate the left and right coordinates against the surface width.

During processing, the function avc420_yuv_to_rgb uses the left coordinate without bounds checking to compute destination pointers, leading to unchecked pointer arithmetic that can write beyond the allocated surface buffer. A malicious RDP server can exploit this by sending a specially crafted packet with an out-of-bounds left coordinate, causing the function to write data far beyond the allocated heap buffer.

This results in a heap buffer overflow that can corrupt heap memory, potentially causing a client crash (denial of service) or, depending on heap layout, enabling arbitrary code execution.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) by crashing the FreeRDP client due to heap corruption caused by the buffer overflow.

Additionally, because the attacker controls the offset of the out-of-bounds write, there is potential for arbitrary writes to adjacent heap objects. Depending on the heap allocator layout, this could be exploited to achieve arbitrary code execution on the client machine.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for abnormal client crashes or heap corruption events in FreeRDP clients prior to version 3.24.0 when connecting to potentially malicious RDP servers.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit involves a malicious server sending a sequence of RDPGFX PDUs including CAPS_CONFIRM (enabling AVC420), CREATE_SURFACE (128x128), and WIRE_TO_SURFACE_PDU_1 with an out-of-bounds rectangle.'}, {'type': 'paragraph', 'content': 'Detection on the system could involve running FreeRDP clients with AddressSanitizer enabled to catch heap-buffer-overflow errors during RDP sessions.'}, {'type': 'paragraph', 'content': "Network detection might include inspecting RDP traffic for suspicious WIRE_TO_SURFACE_PDU_1 packets containing regionRects with abnormally large 'left' coordinates exceeding the surface width."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but using debugging tools like AddressSanitizer or enabling verbose logging in FreeRDP clients during RDP sessions may help identify exploitation attempts.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade FreeRDP to version 3.24.0 or later, where the vulnerability is fixed by adding proper horizontal bounds validation for the left and right coordinates in the clamp() function.

If upgrading immediately is not possible, consider restricting connections to trusted RDP servers only, to avoid exposure to malicious servers sending crafted WIRE_TO_SURFACE_PDU_1 packets.

Monitoring client logs for crashes or heap corruption and disabling AVC420/AVC444 codecs if configurable might reduce risk temporarily.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart