Skip to main content

FreeRDP CVE-2026-45700

| EUVDEUVD-2026-33436 HIGH
Out-of-bounds Write (CWE-787)
2026-05-29 GitHub_M
7.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:32 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
7.7 (HIGH)

DescriptionCVE.org

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.

AnalysisAI

Out-of-bounds heap write in FreeRDP versions prior to 3.26.0 allows remote attackers to corrupt memory in the planar bitmap decoder when an RDP client connects to a malicious or compromised server. The flaw lives in freerdp_bitmap_decompress_planar() in libfreerdp/codec/planar.c, where attacker-controlled stride and X-destination values bypass bounds checks against the internal pTempData buffer. No public exploit identified at time of analysis, but the issue is fixed upstream in 3.26.0.

Technical ContextAI

FreeRDP is the widely used open-source implementation of Microsoft's Remote Desktop Protocol, embedded in many Linux/Unix RDP clients, thin clients, and virtualization tooling (per CPE cpe:2.3:a:freerdp:freerdp). The vulnerability is a classic CWE-787 out-of-bounds write in the RDP planar bitmap codec used to decompress RLE-encoded bitmap updates from a server. The validation logic in freerdp_bitmap_decompress_planar() checks the destination X coordinate (nXDst) against the caller-supplied destination stride (nDstStep), but this stride applies to the eventual output surface - not the smaller internal scratch buffer pTempData. When the decoder routes data through pTempData via planar_decompress_plane_rle(), an attacker who supplies a sufficiently large nDstStep paired with a large nXDst passes the check yet writes past the end of the temp heap allocation.

RemediationAI

Vendor-released patch: upgrade libfreerdp and any bundled clients to FreeRDP 3.26.0 or later, as called out in the upstream advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh. Operators of Linux distributions should track their distro security trackers for backported fixes to the 3.x packages and rebuild dependent applications (Remmina, GNOME Connections, etc.) against the patched library. As a compensating control until patched binaries are deployed, restrict outbound RDP (TCP/3389 and UDP/3389) from workstations to only known internal jump hosts via host or perimeter firewall - this blocks the attacker-server vector at the cost of breaking ad-hoc RDP to external endpoints. Where users must connect to untrusted servers, advise against doing so from the vulnerable client and prefer a hardened or Microsoft mstsc client temporarily; note this only mitigates, it does not eliminate, MITM-on-path scenarios against legitimate servers.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-45700 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy