CVE-2026-45700
Heap Write in FreeRDP Planar Bitmap Decoder
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | 3.26.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in FreeRDP's planar bitmap decoder, specifically in the function freerdp_bitmap_decompress_planar(). The function incorrectly validates the X destination coordinate (nXDst) against the destination stride (nDstStep) even when writing to an internal temporary buffer (pTempData). An attacker can exploit this by providing large values for nDstStep and nXDst, causing the planar_decompress_plane_rle() function to write beyond the allocated bounds of pTempData.
This out-of-bounds heap write leads to heap corruption, which can cause a crash (denial of service) or potentially allow arbitrary code execution depending on memory allocator conditions and exploit mitigations.
The vulnerability affects FreeRDP versions prior to 3.26.0 and was introduced in a commit from February 2026. It has been fixed in version 3.26.0.
How can this vulnerability impact me? :
This vulnerability can lead to heap corruption through an out-of-bounds write, which may cause the affected application to crash, resulting in a denial of service.
More critically, under certain conditions related to the memory allocator and exploit mitigations, an attacker might leverage this vulnerability to execute arbitrary code on the affected system.
However, it is important to note that neither FreeRDP servers nor clients are impacted by this vulnerability directly; it affects third-party implementations using FreeRDP's planar decoder.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap-buffer-overflow write in FreeRDP's planar bitmap decoder prior to version 3.26.0. Detection typically requires monitoring for crashes or abnormal behavior in applications using vulnerable FreeRDP versions.
Since the vulnerability is triggered by malformed RLE planar data causing out-of-bounds writes, detection can involve running the vulnerable FreeRDP version under memory error detection tools such as AddressSanitizer to identify heap corruption.
No specific network detection commands or signatures are provided in the available resources.
For system-level detection, you can check the installed FreeRDP version with commands like:
- freerdp --version
If the version is earlier than 3.26.0, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade FreeRDP to version 3.26.0 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, consider restricting or monitoring the use of FreeRDP planar bitmap decoding features, especially from untrusted sources, to reduce exposure.
Additionally, running FreeRDP in a sandboxed environment or with exploit mitigations enabled can help reduce the impact of potential exploitation.