PatchSiren cyber security CVE debrief
CVE-2026-26965 FreeRDP CVE debrief
CVE-2026-26965 is a heap out-of-bounds write vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability allows a remote, unauthenticated attacker to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. This can lead to control-flow–relevant corruption, including the overwriting of a function pointer. The vulnerability is patched in version 3.23.0.
- Vendor
- FreeRDP
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-25
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-25
- Advisory updated
- 2026-06-30
Who should care
Organizations using FreeRDP should prioritize patching to prevent potential exploitation. This vulnerability is particularly concerning for environments where Remote Desktop Protocol (RDP) is exposed to untrusted networks or users. FreeRDP users should ensure they update to version 3.23.0 or later to mitigate this vulnerability.
Technical summary
The vulnerability exists in the RLE planar decode path of FreeRDP, specifically in the `planar_decompress_plane_rle()` function. This function writes into `pDstData` without verifying that the destination coordinates fit within the allocated buffer. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData`, which is sized for the desktop. However, the validation of `nYDst` is only performed against the surface by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data. The out-of-bounds write can reach up to 132,096 bytes past the temp buffer end. In certain scenarios, such as when the heap layout is deterministic and the desktop size is ≤ 128×128, an adjacent `NSC_CONTEXT` struct's `decode` function pointer can be overwritten with attacker-controlled pixel data, leading to control-flow–relevant corruption.
Defensive priority
High. This vulnerability allows for remote code execution and has a CVSS score of 8.8, indicating a high severity. Immediate patching is recommended.
Recommended defensive actions
- Update FreeRDP to version 3.23.0 or later.
- Restrict access to RDP services to trusted networks and users.
- Implement additional monitoring for suspicious RDP activity.
- Consider using network segmentation to limit the impact of a potential breach.
- Regularly review and update vulnerability management processes to ensure timely patching of critical vulnerabilities.
Evidence notes
The CVE record and NVD detail provide comprehensive information about the vulnerability, including its description, CVSS score, and affected versions. Multiple vendor advisories and patches are available, confirming the existence and impact of this vulnerability.
Official resources
-
CVE-2026-26965 CVE record
CVE.org
-
CVE-2026-26965 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.