CVE-2026-29774
Heap Buffer Overflow in FreeRDP AVC420 YUV-to-RGB Conversion
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29774 is a heap buffer overflow vulnerability in FreeRDP versions prior to 3.24.0, occurring in the client-side AVC420/AVC444 YUV-to-RGB conversion process. The issue arises because the clamp() function only validates the top and bottom coordinates of H.264 metablock regionRects against the surface height but does not validate the left and right coordinates against the surface width.
During processing, the function avc420_yuv_to_rgb uses the left coordinate without bounds checking to compute destination pointers, leading to unchecked pointer arithmetic that can write beyond the allocated surface buffer. A malicious RDP server can exploit this by sending a specially crafted packet with an out-of-bounds left coordinate, causing the function to write data far beyond the allocated heap buffer.
This results in a heap buffer overflow that can corrupt heap memory, potentially causing a client crash (denial of service) or, depending on heap layout, enabling arbitrary code execution.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) by crashing the FreeRDP client due to heap corruption caused by the buffer overflow.
Additionally, because the attacker controls the offset of the out-of-bounds write, there is potential for arbitrary writes to adjacent heap objects. Depending on the heap allocator layout, this could be exploited to achieve arbitrary code execution on the client machine.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for abnormal client crashes or heap corruption events in FreeRDP clients prior to version 3.24.0 when connecting to potentially malicious RDP servers.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit involves a malicious server sending a sequence of RDPGFX PDUs including CAPS_CONFIRM (enabling AVC420), CREATE_SURFACE (128x128), and WIRE_TO_SURFACE_PDU_1 with an out-of-bounds rectangle.'}, {'type': 'paragraph', 'content': 'Detection on the system could involve running FreeRDP clients with AddressSanitizer enabled to catch heap-buffer-overflow errors during RDP sessions.'}, {'type': 'paragraph', 'content': "Network detection might include inspecting RDP traffic for suspicious WIRE_TO_SURFACE_PDU_1 packets containing regionRects with abnormally large 'left' coordinates exceeding the surface width."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but using debugging tools like AddressSanitizer or enabling verbose logging in FreeRDP clients during RDP sessions may help identify exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade FreeRDP to version 3.24.0 or later, where the vulnerability is fixed by adding proper horizontal bounds validation for the left and right coordinates in the clamp() function.
If upgrading immediately is not possible, consider restricting connections to trusted RDP servers only, to avoid exposure to malicious servers sending crafted WIRE_TO_SURFACE_PDU_1 packets.
Monitoring client logs for crashes or heap corruption and disabling AVC420/AVC444 codecs if configurable might reduce risk temporarily.