CVE-2026-29776
Received Received - Intake
Integer Underflow in FreeRDP Core Library Before

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29776
EUVD
EUVD-2026-12059
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29776 is an integer underflow vulnerability in the FreeRDP project's core library, specifically in the function update_read_cache_bitmap_order. The issue occurs because the code subtracts 8 from a bitmapLength field without first verifying that bitmapLength is at least 8. If bitmapLength is less than 8, this subtraction causes an integer underflow, wrapping the value to a very large number."}, {'type': 'paragraph', 'content': 'This underflow leads to improper memory allocation and reading from a network stream using this incorrect large value, which can cause crashes or excessive resource consumption. The vulnerability arises from improper input validation and was fixed in FreeRDP version 3.24.0 by adding a check to ensure bitmapLength is at least 8 before subtracting.'}] [1, 2]

Impact Analysis

This vulnerability can lead to denial-of-service (DoS) conditions by causing the affected FreeRDP process to crash or consume excessive system resources. Specifically, due to the integer underflow, the program may allocate a very large amount of memory (around 4 GB) and perform out-of-bounds reads from the network stream.

If exploited, an attacker could cause the FreeRDP client or server to become unresponsive or crash, disrupting remote desktop sessions. The attack requires network access and user interaction, and has a low severity score (CVSS 3.1 base score 3.1).

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from improper handling of the bitmapLength field in FreeRDP versions prior to 3.24.0, specifically when the bitmapLength is between 0 and 7, causing an integer underflow. Detection involves monitoring FreeRDP network traffic for suspicious or malformed bitmapLength values that could trigger this condition.

Since the vulnerability is triggered by network input processed by FreeRDP, one approach is to capture and analyze RDP traffic to identify packets with bitmapLength values less than 8 in the cache bitmap order updates.

There are no explicit commands provided in the resources, but you can use packet capture tools like tcpdump or Wireshark to filter and inspect RDP traffic. For example:

  • Use tcpdump to capture RDP traffic: tcpdump -i <interface> port 3389 -w freerdp_traffic.pcap
  • Analyze the capture in Wireshark and look for cache bitmap order updates with bitmapLength fields less than 8.

Additionally, monitoring FreeRDP logs for crashes or abnormal memory allocation failures during RDP sessions may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade FreeRDP to version 3.24.0 or later, where the vulnerability is fixed by adding proper bounds checking to prevent integer underflow and excessive memory allocation.

Until the upgrade can be applied, consider restricting or monitoring RDP traffic to prevent untrusted or malformed bitmapLength values from reaching vulnerable FreeRDP instances.

Implement network-level controls such as firewall rules to limit access to FreeRDP services and apply intrusion detection/prevention systems to detect abnormal RDP traffic patterns.

Also, ensure that systems running FreeRDP have appropriate resource limits and monitoring to detect and mitigate potential denial-of-service conditions caused by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart