Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow
Action: Patch Immediately
AI Analysis

Impact

FreeRDP, a free implementation of the Remote Desktop Protocol, contains a client‑side heap buffer overflow in the YUV‑to‑RGB conversion routine avc420_yuv_to_rgb. The overflow arises because the function clamp() validates only vertical coordinates, omitting left/right bounds checks on regionRects. A malicious server can send a WIRE_TO_SURFACE_PDU_1 with an AVC420 codec and a rectangle whose left coordinate is far outside the surface width, causing avc420_yuv_to_rgb to compute a destination pointer that is far past the allocated surface buffer. This memory corruption can lead to application crashes or potentially arbitrary code execution, representing a medium severity vulnerability (CWE‑787).

Affected Systems

The vulnerability exists in all FreeRDP client releases prior to version 3.24.0. Any user running FreeRDP as the client for remote desktop sessions is potentially impacted when connecting to a server that can supply the crafted PDU.

Risk and Exploitability

The CVSS base score is 5.3, reflecting a moderate impact. The EPSS score is below 1%, indicating a low probability of current exploitation in the wild, and the vulnerability has not been listed in CISA’s KEV catalog. Exploitation requires a malicious RDP server capable of sending the specific PDU, so exposure is limited to connections with untrusted servers. Nonetheless, the lack of bounds checks creates a clear opportunity for memory corruption, warranting prompt attention.

Generated by OpenCVE AI on March 17, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.24.0 or later where the issue is fixed.
  • If upgrading is not immediately possible, avoid connecting to untrusted Remote Desktop servers until a patch is applied.
  • Check the FreeRDP project's release notes and advisories for additional security updates.
  • Monitor for any new advisories and apply patches as soon as they become available.

Generated by OpenCVE AI on March 17, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Sat, 14 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 13 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.
Title FreeRDP has a heap-buffer-overflow in avc420_yuv_to_rgb via OOB regionRects
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T17:05:01.346Z

Reserved: 2026-03-04T16:26:02.897Z

Link: CVE-2026-29774

cve-icon Vulnrichment

Updated: 2026-03-16T17:04:51.167Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:32.890

Modified: 2026-03-17T14:51:38.930

Link: CVE-2026-29774

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-13T17:26:58Z

Links: CVE-2026-29774 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:40Z

Weaknesses