CVE-2026-57158
Received Received - Intake

Remote Code Execution in FreeRDP Client

Vulnerability report for CVE-2026-57158, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. From 3.21.0 before 3.28.0, FreeRDP clients using the GFX pipeline contain an incomplete fix for CVE-2026-23530 in planar_decompress_plane_rle_only in libfreerdp/codec/planar.c, allowing a malicious RDP server to send a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload that reads one byte past the input buffer. This issue is fixed in version 3.28.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
freerdp freerdp From 3.21.0 (inc) to 3.28.0 (exc)
freerdp freerdp 3.28.0
freerdp freerdp 3.27.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57158 is a heap out-of-bounds read vulnerability in FreeRDP, specifically in the planar_decompress_plane_rle_only function within the libfreerdp/codec/planar.c file.

The vulnerability occurs because the function reads one byte past the end of the input buffer without properly validating the buffer boundaries. This happens when a malicious RDP server sends a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload.

This issue is an incomplete fix of a previous vulnerability (CVE-2026-23530) and affects FreeRDP clients using the GFX pipeline from versions 3.21.0 up to before 3.28.0.

The vulnerability allows reading memory beyond the intended buffer, classified as CWE-125 (Out-of-bounds Read).

Impact Analysis

This vulnerability allows a malicious RDP server to cause the FreeRDP client to read one byte beyond the allocated input buffer.

While the severity is rated as low, such out-of-bounds reads can potentially lead to information disclosure or cause the client to behave unexpectedly.

Exploitation requires no user interaction beyond connecting to a malicious RDP server, making it a risk for users who connect to untrusted or compromised servers.

Detection Guidance

This vulnerability occurs when a FreeRDP client using the GFX pipeline connects to a malicious RDP server that sends a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload causing a 1-byte out-of-bounds read. Detection involves monitoring FreeRDP client connections for abnormal or malformed RDPGFX_CMDID_WIRETOSURFACE_1 packets or crashes related to the planar codec.

Since the vulnerability is triggered by a specific malformed packet from the server, network detection could involve capturing and analyzing RDP traffic with tools like Wireshark or tcpdump to identify truncated or malformed RDPGFX_CMDID_WIRETOSURFACE_1 packets.

  • Use tcpdump to capture RDP traffic: tcpdump -i <interface> port 3389 -w rdp_traffic.pcap
  • Analyze the capture with Wireshark, filtering for RDPGFX packets and inspecting for truncated or malformed planar payloads.

On the system side, monitoring FreeRDP client logs for errors or crashes related to the planar codec function planar_decompress_plane_rle_only may help detect exploitation attempts.

Mitigation Strategies

The vulnerability is fixed in FreeRDP version 3.28.0 by implementing a proper range check and early abort in the planar_decompress_plane_rle_only function to prevent out-of-bounds reads.

Immediate mitigation steps include:

  • Upgrade FreeRDP clients to version 3.28.0 or later where the vulnerability is fixed.
  • If upgrading is not immediately possible, avoid connecting FreeRDP clients to untrusted or potentially malicious RDP servers.
  • Monitor FreeRDP client logs for any unusual errors or crashes that might indicate exploitation attempts.
Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-57158 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart