PatchSiren cyber security CVE debrief
CVE-2026-57158 FreeRDP CVE debrief
CVE-2026-57158 is a MEDIUM severity vulnerability in FreeRDP clients using the GFX pipeline, with an incomplete fix for CVE-2026-23530. A malicious RDP server can send a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload that reads one byte past the input buffer. This issue is fixed in version 3.28.0. The vulnerability exists in the planar_decompress_plane_rle_only function in libfreerdp/codec/planar.c. Users of FreeRDP clients with GFX pipeline enabled should update to version 3.28.0 or later to mitigate this vulnerability.
- Vendor
- FreeRDP
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of FreeRDP clients with GFX pipeline enabled should update to version 3.28.0 or later to mitigate this vulnerability. This includes operators of affected systems, platform administrators, vulnerability management teams, and security teams. The vulnerability has a relatively low CVSS score, but it still requires attention to prevent potential information disclosure.
Technical summary
The vulnerability exists in the planar_decompress_plane_rle_only function in libfreerdp/codec/planar.c. An attacker can exploit this by sending a specially crafted RDPGFX_CMDID_WIRETOSURFACE_1 planar payload, potentially leading to information disclosure. The vulnerability has a CVSS score of 5.1 and a MEDIUM severity. The issue is fixed in version 3.28.0, and users should update to this version or later to mitigate the vulnerability.
Defensive priority
Medium priority, as the vulnerability requires a malicious RDP server and has a relatively low CVSS score.
Recommended defensive actions
- Update FreeRDP clients to version 3.28.0 or later
- Restrict access to RDP servers to trusted users only
- Monitor RDP traffic for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-10T20:16:48.523Z and has not been modified since then. The NVD entry is currently 5.1 MEDIUM. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide additional details about the vulnerability, and the NVD entry does not offer further information. Users should review the official advisory for more information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:48.523Z and has not been modified since then.