CVE-2026-29776
Integer Underflow in FreeRDP Core Library Before
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-29776 is an integer underflow vulnerability in the FreeRDP project's core library, specifically in the function update_read_cache_bitmap_order. The issue occurs because the code subtracts 8 from a bitmapLength field without first verifying that bitmapLength is at least 8. If bitmapLength is less than 8, this subtraction causes an integer underflow, wrapping the value to a very large number."}, {'type': 'paragraph', 'content': 'This underflow leads to improper memory allocation and reading from a network stream using this incorrect large value, which can cause crashes or excessive resource consumption. The vulnerability arises from improper input validation and was fixed in FreeRDP version 3.24.0 by adding a check to ensure bitmapLength is at least 8 before subtracting.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to denial-of-service (DoS) conditions by causing the affected FreeRDP process to crash or consume excessive system resources. Specifically, due to the integer underflow, the program may allocate a very large amount of memory (around 4 GB) and perform out-of-bounds reads from the network stream.
If exploited, an attacker could cause the FreeRDP client or server to become unresponsive or crash, disrupting remote desktop sessions. The attack requires network access and user interaction, and has a low severity score (CVSS 3.1 base score 3.1).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from improper handling of the bitmapLength field in FreeRDP versions prior to 3.24.0, specifically when the bitmapLength is between 0 and 7, causing an integer underflow. Detection involves monitoring FreeRDP network traffic for suspicious or malformed bitmapLength values that could trigger this condition.
Since the vulnerability is triggered by network input processed by FreeRDP, one approach is to capture and analyze RDP traffic to identify packets with bitmapLength values less than 8 in the cache bitmap order updates.
There are no explicit commands provided in the resources, but you can use packet capture tools like tcpdump or Wireshark to filter and inspect RDP traffic. For example:
- Use tcpdump to capture RDP traffic: tcpdump -i <interface> port 3389 -w freerdp_traffic.pcap
- Analyze the capture in Wireshark and look for cache bitmap order updates with bitmapLength fields less than 8.
Additionally, monitoring FreeRDP logs for crashes or abnormal memory allocation failures during RDP sessions may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade FreeRDP to version 3.24.0 or later, where the vulnerability is fixed by adding proper bounds checking to prevent integer underflow and excessive memory allocation.
Until the upgrade can be applied, consider restricting or monitoring RDP traffic to prevent untrusted or malformed bitmapLength values from reaching vulnerable FreeRDP instances.
Implement network-level controls such as firewall rules to limit access to FreeRDP services and apply intrusion detection/prevention systems to detect abnormal RDP traffic patterns.
Also, ensure that systems running FreeRDP have appropriate resource limits and monitoring to detect and mitigate potential denial-of-service conditions caused by this vulnerability.