Vulnerability-Lookup

CVE-2026-26965 (GCVE-0-2026-26965)

Vulnerability from cvelistv5 – Published: 2026-02-25 20:59 – Updated: 2026-02-26 14:44

Title

FreeRDP has Out-of-bounds Write

Summary

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

GitHub_M

References

URL

Tags

	https://github.com/FreeRDP/FreeRDP/security/advis…	x_refsource_CONFIRM
	https://github.com/FreeRDP/FreeRDP/commit/a0be5cb…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	FreeRDP	FreeRDP	Affected: < 3.23.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26965",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T04:56:18.809883Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:04.865Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FreeRDP",
          "vendor": "FreeRDP",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.23.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar-\u003epTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and  on the brk heap (desktop \u2264 128\u00d7128), an adjacent `NSC_CONTEXT` struct\u0027s `decode` function pointer is overwritten with attacker-controlled pixel data \u2014 control-flow\u2013relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc-\u003edecode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T20:59:17.828Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h"
        },
        {
          "name": "https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc"
        }
      ],
      "source": {
        "advisory": "GHSA-5vgf-mw4f-r33h",
        "discovery": "UNKNOWN"
      },
      "title": "FreeRDP has Out-of-bounds Write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26965",
    "datePublished": "2026-02-25T20:59:17.828Z",
    "dateReserved": "2026-02-16T22:20:28.612Z",
    "dateUpdated": "2026-02-26T14:44:04.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-26965\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T21:16:43.047\",\"lastModified\":\"2026-02-27T14:49:57.897\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar-\u003epTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and  on the brk heap (desktop \u2264 128\u00d7128), an adjacent `NSC_CONTEXT` struct\u0027s `decode` function pointer is overwritten with attacker-controlled pixel data \u2014 control-flow\u2013relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc-\u003edecode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.\"},{\"lang\":\"es\",\"value\":\"FreeRDP es una implementaci\u00f3n gratuita del Protocolo de Escritorio Remoto. Antes de la versi\u00f3n 3.23.0, en la ruta de decodificaci\u00f3n planar RLE, planar_decompress_plane_rle() escribe en pDstData en ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel sin verificar que (nYDst+nSrcHeight) encaje en la altura de destino o que (nXDst+nSrcWidth) encaje en el paso de destino. Cuando TempFormat != DstFormat, pDstData se convierte en planar-\u0026gt;pTempData (dimensionado para el escritorio), mientras que nYDst solo se valida contra la superficie mediante is_within_surface(). Un servidor RDP malicioso puede explotar esto para realizar una escritura fuera de l\u00edmites en el heap con un desplazamiento y datos de p\u00edxeles controlados por el atacante en cualquier cliente FreeRDP que se conecte. La escritura OOB alcanza hasta 132.096 bytes m\u00e1s all\u00e1 del final del b\u00fafer temporal, y en el heap brk (escritorio ? 128\u00d7128), el puntero de funci\u00f3n decode de una estructura NSC_CONTEXT adyacente se sobrescribe con datos de p\u00edxeles controlados por el atacante \u2014 corrupci\u00f3n relevante para el flujo de control (puntero de funci\u00f3n sobrescrito) demostrada bajo un dise\u00f1o de heap determinista (nsc-\u0026gt;decode = 0xFF414141FF414141). La versi\u00f3n 3.23.0 corrige la vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.23.0\",\"matchCriteriaId\":\"31715854-6D23-4207-AB69-27707C7B2D42\"}]}]}],\"references\":[{\"url\":\"https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"FreeRDP has Out-of-bounds Write\", \"source\": {\"advisory\": \"GHSA-5vgf-mw4f-r33h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"FreeRDP\", \"product\": \"FreeRDP\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.23.0\"}]}], \"references\": [{\"url\": \"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h\", \"name\": \"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc\", \"name\": \"https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar-\u003epTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and  on the brk heap (desktop \\u2264 128\\u00d7128), an adjacent `NSC_CONTEXT` struct\u0027s `decode` function pointer is overwritten with attacker-controlled pixel data \\u2014 control-flow\\u2013relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc-\u003edecode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-25T20:59:17.828Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26965\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-26T04:56:18.809883Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-02-26T14:08:13.402Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26965\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-25T20:59:17.828Z\", \"dateReserved\": \"2026-02-16T22:20:28.612Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-25T20:59:17.828Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-26965

Vulnerability from fkie_nvd - Published: 2026-02-25 21:16 - Updated: 2026-02-27 14:49

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H