CVE-2026-45700
Analyzed Analyzed - Analysis Complete
Heap Write in FreeRDP Planar Bitmap Decoder

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45700
EUVD
EUVD-2026-33436
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FreeRDP's planar bitmap decoder, specifically in the function freerdp_bitmap_decompress_planar(). The function incorrectly validates the X destination coordinate (nXDst) against the destination stride (nDstStep) even when writing to an internal temporary buffer (pTempData). An attacker can exploit this by providing large values for nDstStep and nXDst, causing the planar_decompress_plane_rle() function to write beyond the allocated bounds of pTempData.

This out-of-bounds heap write leads to heap corruption, which can cause a crash (denial of service) or potentially allow arbitrary code execution depending on memory allocator conditions and exploit mitigations.

The vulnerability affects FreeRDP versions prior to 3.26.0 and was introduced in a commit from February 2026. It has been fixed in version 3.26.0.

Impact Analysis

This vulnerability can lead to heap corruption through an out-of-bounds write, which may cause the affected application to crash, resulting in a denial of service.

More critically, under certain conditions related to the memory allocator and exploit mitigations, an attacker might leverage this vulnerability to execute arbitrary code on the affected system.

However, it is important to note that neither FreeRDP servers nor clients are impacted by this vulnerability directly; it affects third-party implementations using FreeRDP's planar decoder.

Detection Guidance

This vulnerability involves a heap-buffer-overflow write in FreeRDP's planar bitmap decoder prior to version 3.26.0. Detection typically requires monitoring for crashes or abnormal behavior in applications using vulnerable FreeRDP versions.

Since the vulnerability is triggered by malformed RLE planar data causing out-of-bounds writes, detection can involve running the vulnerable FreeRDP version under memory error detection tools such as AddressSanitizer to identify heap corruption.

No specific network detection commands or signatures are provided in the available resources.

For system-level detection, you can check the installed FreeRDP version with commands like:

  • freerdp --version

If the version is earlier than 3.26.0, the system is vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade FreeRDP to version 3.26.0 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, consider restricting or monitoring the use of FreeRDP planar bitmap decoding features, especially from untrusted sources, to reduce exposure.

Additionally, running FreeRDP in a sandboxed environment or with exploit mitigations enabled can help reduce the impact of potential exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45700. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart