Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

FreeRDP’s bitmap_cache_put function contains an out‑of‑bounds read/write due to an off‑by‑one boundary check. An attacker controlling an RDP server can send a CACHE_BITMAP_ORDER packet with cacheId equal to maxCells, bypassing the guard and writing to an array element past the allocated bounds. This can cause application crashes or unpredictable behavior. The flaw is identified as CWE-787. The description does not mention any further consequences beyond the memory corruption impact.

Affected Systems

The vulnerability affects the FreeRDP client implementation prior to release 3.24.0. Any system running FreeRDP 3.23.x or earlier is vulnerable. The CPE string confirms the product is freerdp:freerdp. Versions 3.24.0 or later are not affected.

Risk and Exploitability

The CVSS v3.1 score is 5.3, indicating moderate severity. The EPSS probability is reported as less than 1 %, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to act as a malicious RDP server that the client trusts; thus the vector is client‑side and depends on the client connecting to an untrusted server. No evidence of active exploitation is documented, so the risk remains theoretical based on the conditions described.

Generated by OpenCVE AI on March 17, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.24.0 or later, which contains the fix.

Generated by OpenCVE AI on March 17, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Sat, 14 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 13 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
Title FreeRDP has a heap-buffer-overflow in bitmap_cache_put via OOB cacheId
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T17:04:16.515Z

Reserved: 2026-03-04T16:26:02.897Z

Link: CVE-2026-29775

cve-icon Vulnrichment

Updated: 2026-03-16T17:04:06.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:33.053

Modified: 2026-03-17T14:43:17.400

Link: CVE-2026-29775

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-13T17:28:39Z

Links: CVE-2026-29775 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:39Z

Weaknesses