Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29775 is a moderate severity heap-buffer-overflow vulnerability in FreeRDP's bitmap cache subsystem, specifically in the function bitmap_cache_put. The issue is caused by an off-by-one boundary check error when validating the cacheId parameter. The function incorrectly allows cacheId to be equal to maxCells, which leads to accessing memory one element beyond the allocated array of bitmap cache cells."}, {'type': 'paragraph', 'content': 'A malicious Remote Desktop Protocol (RDP) server can exploit this by sending a CACHE_BITMAP_ORDER (Revision 1) message with cacheId set to maxCells, bypassing the boundary check. This causes the client to read and write out-of-bounds memory, potentially leading to heap corruption or crashes.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in FreeRDP version 3.24.0 by correcting the boundary check to prevent out-of-bounds access.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing the FreeRDP client to crash, resulting in a denial of service (DoS).

More seriously, the out-of-bounds write may allow a malicious RDP server to corrupt heap memory adjacent to the bitmap cache cells. Depending on the heap layout, this could potentially enable arbitrary code execution on the client machine.

The attack requires no privileges or user interaction and can be triggered remotely by a malicious server.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when a malicious RDP server sends a CACHE_BITMAP_ORDER (Revision 1) with a cacheId equal to maxCells (e.g., 5), causing an out-of-bounds read/write in the FreeRDP client. Detection involves monitoring RDP traffic for suspicious CACHE_BITMAP_ORDER messages with out-of-range cacheId values.

Specifically, you can inspect RDP traffic to identify CACHE_BITMAP_ORDER messages where the cacheId is equal to or greater than the expected maximum (default maxCells is 5). This indicates a potential exploit attempt.

While no explicit commands are provided in the resources, network packet inspection tools like Wireshark or tcpdump can be used to capture and analyze RDP traffic. You can filter for RDP packets and look for CACHE_BITMAP_ORDER messages with cacheId values exceeding the normal range.

• Use Wireshark with a filter for RDP traffic and inspect bitmap cache orders for abnormal cacheId values.
• Use tcpdump to capture RDP traffic: tcpdump -i <interface> port 3389 -w capture.pcap
• Analyze the capture with Wireshark or a custom script to detect CACHE_BITMAP_ORDER messages with cacheId >= maxCells (5).

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade FreeRDP to version 3.24.0 or later, where the vulnerability has been fixed by correcting the boundary check in the bitmap_cache_put function.

This fix ensures that cacheId values equal to or greater than maxCells are properly rejected, preventing out-of-bounds access.

Additionally, the patch includes overallocating the bitmap cache cells array by one element to handle off-by-one cache indices from older or malicious RDP servers, improving robustness.

Until the upgrade can be applied, consider restricting or monitoring RDP connections to untrusted servers to reduce exposure to malicious payloads exploiting this vulnerability.

Useful 0 Not Useful 0