PatchSiren cyber security CVE debrief
CVE-2026-45700 FreeRDP CVE debrief
FreeRDP versions prior to 3.26.0 contain an out-of-bounds heap write vulnerability in the planar bitmap decoder. The flaw exists in `freerdp_bitmap_decompress_planar()` within `libfreerdp/codec/planar.c`, where the function validates the X destination coordinate `nXDst` against the caller-provided destination stride (`nDstStep`) even when writing to an internal temporary buffer (`pTempData`). An attacker can bypass this validation by supplying a large `nDstStep` paired with a large `nXDst`, causing `planar_decompress_plane_rle()` to write beyond the bounds of `pTempData`. This vulnerability affects RLE planar data decoding and could lead to heap corruption. The issue was resolved in FreeRDP version 3.26.0.
- Vendor
- FreeRDP
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations using FreeRDP for remote desktop connectivity, particularly those exposing RDP services to external networks or untrusted clients. Security teams responsible for vulnerability management in open-source remote access infrastructure. Developers integrating FreeRDP libraries into custom RDP client or server implementations.
Technical summary
The vulnerability stems from improper validation logic in `freerdp_bitmap_decompress_planar()` where coordinate checks intended for the final destination buffer are incorrectly applied to an internal temporary buffer. When processing RLE-compressed planar bitmap data, the function `planar_decompress_plane_rle()` writes decoded data to `pTempData` without adequate bounds verification. By manipulating `nDstStep` and `nXDst` values, an attacker can cause the RLE decompression to exceed the allocated size of `pTempData`, resulting in heap memory corruption. This weakness is classified as CWE-787 (Out-of-bounds Write). The CVSS 4.0 score of 7.7 (HIGH) reflects significant impacts to confidentiality, integrity, and availability with network accessibility and low attack complexity, though user interaction is required.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade FreeRDP to version 3.26.0 or later to remediate the out-of-bounds heap write vulnerability in the planar bitmap decoder.
- If immediate patching is not feasible, restrict RDP connections to trusted sources and monitor for anomalous bitmap decoding operations that may indicate exploitation attempts.
- Review application logs for crashes or memory corruption indicators in FreeRDP processes handling RLE planar bitmap data.
- Assess client and server deployments of FreeRDP to identify systems running affected versions prior to 3.26.0.
Evidence notes
Vulnerability description sourced from NVD record published 2026-05-29T20:16:27.533Z. Fix version 3.26.0 confirmed in advisory. CVSS 4.0 vector indicates network attack vector with low attack complexity, attacker privileges none, user interaction present, high impact to confidentiality, integrity, and availability.
Official resources
-
CVE-2026-45700 CVE record
CVE.org
-
CVE-2026-45700 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29