CVE-2026-29774 in FreeRDP
Summary
by MITRE • 03/13/2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability described in CVE-2026-29774 represents a critical heap buffer overflow in FreeRDP client implementations prior to version 3.24.0, specifically affecting the H.264 video codec processing pipeline. This issue occurs within the AVC420/AVC444 YUV-to-RGB conversion path where the client-side implementation fails to properly validate boundary conditions for H.264 metablock regionRects coordinates. The flaw manifests in the yuv.c file where the clamp() function performs horizontal bounds validation only for top and bottom coordinates relative to surface height, completely neglecting left and right boundaries against surface width. This omission creates a significant security gap that allows attackers to manipulate memory access patterns through maliciously crafted video frames.
The technical exploitation of this vulnerability begins with a malicious server sending a WIRE_TO_SURFACE_PDU_1 message containing AVC420 codec data with specially crafted regionRects entries. When the left coordinate of these rectangles significantly exceeds the actual surface width - for example, setting left=60000 on a 128px surface - the system processes the H.264 bitstream successfully but fails during the conversion phase. The avc420_yuv_to_rgb function computes destination pointers using unchecked arithmetic operations where pDstPoint = pDstData + rect->top nDstStep + rect->left 4. This calculation allows memory writes to extend far beyond allocated heap boundaries, with writes reaching 1888+ bytes past the legitimate buffer region. The vulnerability is particularly dangerous because it occurs during normal video processing operations and can be triggered through legitimate remote desktop connections without requiring special privileges or authentication.
The operational impact of this vulnerability extends beyond simple memory corruption, as it creates potential for arbitrary code execution and system compromise. Attackers can leverage this heap overflow to overwrite adjacent memory regions, potentially corrupting critical data structures or injecting malicious code into the FreeRDP client process. The vulnerability affects all FreeRDP client implementations that process H.264 video streams, making it particularly concerning for enterprise environments where remote desktop protocols are extensively used for administrative access and remote work scenarios. The attack vector requires only a malicious remote server to send specially crafted video data, making it relatively easy to exploit in real-world scenarios where users connect to untrusted remote desktop services. This vulnerability aligns with CWE-121, heap-based buffer overflow, and represents a classic example of insufficient bounds checking in memory management operations.
The mitigation strategy for CVE-2026-29774 requires immediate deployment of FreeRDP version 3.24.0 or later, which includes proper horizontal bounds validation in the clamp() function. Organizations should also implement network segmentation and access controls to limit exposure to potentially malicious remote servers, particularly in environments where remote desktop connections are permitted to untrusted networks. Additional defensive measures include monitoring for unusual video processing patterns and implementing intrusion detection systems that can identify malicious WIRE_TO_SURFACE_PDU_1 messages. Security teams should also consider disabling H.264 codec support in FreeRDP configurations when it is not strictly necessary, reducing the attack surface while maintaining functionality. This vulnerability demonstrates the importance of comprehensive boundary checking in multimedia processing pipelines and aligns with ATT&CK technique T1203, Exploitation for Client Execution, as it enables remote code execution through client-side exploitation of video processing components.