FreeRDP up to 3.22.x planar_decompress_plane_rle out-of-bounds write

Summaryinfo

A vulnerability marked as critical has been reported in FreeRDP up to 3.22.x. Impacted is the function planar_decompress_plane_rle. This manipulation causes out-of-bounds write. The identification of this vulnerability is CVE-2026-26965. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in FreeRDP up to 3.22.x. Affected by this vulnerability is the function planar_decompress_plane_rle. The manipulation with an unknown input leads to a out-of-bounds write vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.

The advisory is shared at github.com. This vulnerability is known as CVE-2026-26965 since 02/16/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 299995 (Linux Distros Unpatched Vulnerability : CVE-2026-26965), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 3.23.0 eliminates this vulnerability. Applying the patch a0be5cb87d760bb1c803ad1bb835aa1e73e62abc is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (299995) and CERT Bund (WID-SEC-2026-0514). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Amazon Linux 2
• Red Hat Enterprise Linux
• Fedora Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux
• Open Source FreeRDP

Productinfo

Type

• Remote Access Software

Name

• FreeRDP

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5
• 3.6
• 3.7
• 3.8
• 3.9
• 3.10
• 3.11
• 3.12
• 3.13
• 3.14
• 3.15
• 3.16
• 3.17
• 3.18
• 3.19
• 3.20
• 3.21
• 3.22

License

• open-source

Website

• Product: https://github.com/FreeRDP/FreeRDP/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion