CVE-2026-29775 in FreeRDP
Summary
by MITRE • 03/13/2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability identified as CVE-2026-29775 affects FreeRDP, an open-source implementation of Microsoft's Remote Desktop Protocol that enables remote desktop connections across various platforms. This security flaw exists within the bitmap cache subsystem of FreeRDP's client implementation and represents a critical heap-based memory corruption issue that can be exploited by remote attackers. The vulnerability specifically manifests in versions prior to 3.24.0, making all earlier releases susceptible to potential exploitation through malicious remote desktop server interactions.
The technical root cause of this vulnerability stems from an off-by-one error in the bitmap_cache_put function within FreeRDP's bitmap cache implementation. This boundary check failure occurs when processing CACHE_BITMAP_ORDER (Rev1) messages sent by a remote server. The flaw allows a malicious server to craft a specially crafted cacheId parameter set to the maximum possible value equal to maxCells, effectively bypassing the intended bounds checking mechanism. When this occurs, the system attempts to access the cells[] array one element beyond its allocated boundaries, resulting in either a heap out-of-bounds read or write operation. This type of vulnerability falls under CWE-129, which specifically addresses insufficient bounds checking, and represents a classic example of improper input validation leading to memory corruption.
The operational impact of this vulnerability is significant as it enables remote code execution capabilities for malicious actors who can control a remote desktop server. An attacker controlling a compromised server can exploit this vulnerability to execute arbitrary code on the victim's system, potentially leading to complete system compromise. The heap corruption can result in unpredictable behavior including application crashes, data corruption, or more sinisterly, code execution through memory manipulation techniques. This vulnerability directly aligns with ATT&CK technique T1071.004, which covers application layer protocol usage for command and control communications, as it can be leveraged to establish persistent access through compromised remote desktop connections. The attack surface is particularly concerning given the widespread use of FreeRDP in enterprise environments and remote access scenarios.
Mitigation strategies for this vulnerability include immediate upgrade to FreeRDP version 3.24.0 or later, which contains the necessary patches to address the boundary check issue. Organizations should also implement network segmentation and access controls to limit exposure to potentially malicious remote desktop servers. Additional defensive measures include monitoring network traffic for suspicious CACHE_BITMAP_ORDER messages and implementing intrusion detection systems that can identify anomalous remote desktop protocol behavior. Security teams should also conduct vulnerability assessments to ensure all FreeRDP implementations within their environment are updated, as this vulnerability affects both client and server components that may be exposed to untrusted remote entities. The fix addresses the underlying CWE-129 issue by implementing proper bounds checking that validates cacheId values against the actual array dimensions before any memory access operations occur.