An out-of-bounds read occurs in the FreeRDP function freerdp_bitmap_decompress_planar when the source size (SrcSize) is zero. The code dereferences a pointer to the source buffer without checking that the buffer has at least one byte, causing the function to read one byte past the end of the buffer. Because the data being read comes from the application’s memory, this vulnerability can leak arbitrary memory contents to the attacker, potentially exposing sensitive information. The flaw does not provide execution or denial-of-service capabilities directly.

All installations of FreeRDP older than version 3.24.0 are affected. The product is identified by the CPE cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*.* and is used in environments that deploy the Remote Desktop Protocol via the open-source client. The vulnerability is present in the bitmap decompression routine that processes incoming RDP bitmaps.

The EPSS score is below 1 %, indicating a low probability of automated exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker able to send a malformed RDP packet that triggers bitmap decompression with a zero source size, which is typically only possible when the server accepts bitmap data from an untrusted client. Consequently, the overall risk is considered low for most deployments, but systems that accept arbitrary bitmap data from untrusted users should still apply the patch promptly. No CVSS score is provided in the data, but the impact is limited to information disclosure.