Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.
Published: 2026-05-29
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in the planar bitmap decoder of FreeRDP, where the function freerdp_bitmap_decompress_planar() fails to enforce bounds validation for the temporary buffer pTempData. An attacker who supplies a specially crafted Remote Desktop Protocol packet containing large X destination coordinates and a large destination stride can cause the decoder to write beyond the end of the heap buffer. The resulting memory corruption is an out‑of‑bounds heap write (CWE‑787).

Affected Systems

All released FreeRDP binaries earlier than version 3.26.0 are affected. Clients and remote‑desktop servers that use these older FreeRDP versions are vulnerable when they process RLE planar bitmap data from a remote session.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The flaw is remotely exploitable over an RDP session and does not require local privileges, so any system accepting RDP connections from untrusted hosts is at risk.

Generated by OpenCVE AI on May 29, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.26.0 or later, which contains the fixed decoder logic.
  • If upgrading immediately is not feasible, configure the client or server to disable RLE planar compression or enforce strict bounds on stride and coordinate values before decoding.
  • Implement network‑level security controls such as VPN or firewall rules to restrict RDP access to trusted hosts and monitor for anomalous RDP traffic that may indicate exploitation attempts.

Generated by OpenCVE AI on May 29, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.
Title Heap-buffer-overflow write in planar bitmap decoder
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:44:12.385Z

Reserved: 2026-05-13T04:38:01.165Z

Link: CVE-2026-45700

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:27.533

Modified: 2026-05-29T20:22:37.383

Link: CVE-2026-45700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T22:00:09Z

Weaknesses