PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26965 FreeRDP CVE debrief

CVE-2026-26965 is a heap out-of-bounds write vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The vulnerability allows a remote, unauthenticated attacker to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. This can lead to control-flow–relevant corruption, including the overwriting of a function pointer. The vulnerability is patched in version 3.23.0.

Vendor
FreeRDP
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-25
Original CVE updated
2026-06-30
Advisory published
2026-02-25
Advisory updated
2026-06-30

Who should care

Organizations using FreeRDP should prioritize patching to prevent potential exploitation. This vulnerability is particularly concerning for environments where Remote Desktop Protocol (RDP) is exposed to untrusted networks or users. FreeRDP users should ensure they update to version 3.23.0 or later to mitigate this vulnerability.

Technical summary

The vulnerability exists in the RLE planar decode path of FreeRDP, specifically in the `planar_decompress_plane_rle()` function. This function writes into `pDstData` without verifying that the destination coordinates fit within the allocated buffer. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData`, which is sized for the desktop. However, the validation of `nYDst` is only performed against the surface by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data. The out-of-bounds write can reach up to 132,096 bytes past the temp buffer end. In certain scenarios, such as when the heap layout is deterministic and the desktop size is ≤ 128×128, an adjacent `NSC_CONTEXT` struct's `decode` function pointer can be overwritten with attacker-controlled pixel data, leading to control-flow–relevant corruption.

Defensive priority

High. This vulnerability allows for remote code execution and has a CVSS score of 8.8, indicating a high severity. Immediate patching is recommended.

Recommended defensive actions

  • Update FreeRDP to version 3.23.0 or later.
  • Restrict access to RDP services to trusted networks and users.
  • Implement additional monitoring for suspicious RDP activity.
  • Consider using network segmentation to limit the impact of a potential breach.
  • Regularly review and update vulnerability management processes to ensure timely patching of critical vulnerabilities.

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability, including its description, CVSS score, and affected versions. Multiple vendor advisories and patches are available, confirming the existence and impact of this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.