Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
Published: 2026-02-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via heap out‑of‑bounds write
Action: Immediate Patch
AI Analysis

Impact

FreeRDP, a free Remote Desktop Protocol implementation, contains an out‑of‑bounds write in the RLE planar decode routine prior to version 3.23.0. The routine writes pixel data without verifying that destination coordinates remain within the allocated buffer, allowing an attacker to overflow the temporary buffer by up to 132,096 bytes. When the temporary buffer is overwritten, a neighboring NSC_CONTEXT structure’s decode function pointer can be corrupted, enabling control‑flow hijacking. This flaw provides attackers with the potential to execute arbitrary code on a FreeRDP client during a normal RDP session.

Affected Systems

All FreeRDP installations with a version older than 3.23.0 are affected. The vulnerability exists in the core FreeRDP client code and applies to any deployment that accepts RDP connections from external servers. Users relying on older versions such as 3.22.x or earlier are at risk, while versions 3.23.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.8 denotes high severity, but the EPSS score is less than 1%, indicating a low probability of widespread exploitation. The vulnerability is not yet listed in the NIST KEV catalog, suggesting no confirmed active exploits at the time of analysis. Exploitation requires an attacker to act as an RDP server and serve crafted RLE data to a FreeRDP client, which is feasible for any external host with the ability to initiate an RDP connection. If successfully exploited, the attacker can gain arbitrary code execution on the client, potentially compromising confidentiality, integrity, and availability of the system.

Generated by OpenCVE AI on April 17, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeRDP client to version 3.23.0 or later to apply the authoritative fix.
  • If an upgrade is not immediately possible, configure network controls to limit RDP connections to trusted hosts or isolate the client on a network segment with strict firewall rules.
  • Consider temporarily disabling or restricting RLE compression in the client configuration to mitigate the risk until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Wed, 25 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
Title FreeRDP has Out-of-bounds Write
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:44:04.865Z

Reserved: 2026-02-16T22:20:28.612Z

Link: CVE-2026-26965

cve-icon Vulnrichment

Updated: 2026-02-26T14:08:13.402Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:43.047

Modified: 2026-02-27T14:49:57.897

Link: CVE-2026-26965

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-25T20:59:17Z

Links: CVE-2026-26965 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses