CVE-2026-26965Out-of-bounds Write in Freerdp

CWE-787Out-of-bounds Write7 documents7 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 75.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FreerdpDebian Freerdp2Debian Freerdp3
Timeline
PublishedFeb 25
Latest updateMar 18

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDfreerdp/freerdp< 3.23.0
debiandebian/freerdp2< freerdp3 3.23.0+dfsg-1 (forky)
debiandebian/freerdp3< freerdp3 3.23.0+dfsg-1 (forky)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2026-26965: FreeRDP is a free implementation of the Remote Desktop Protocol2026-02-25

📋Vendor Advisories

3
Ubuntu
FreeRDP vulnerabilities2026-03-18
Red Hat
freerdp: FreeRDP: Arbitrary code execution via heap out-of-bounds write in RLE planar decode path2026-02-25
Debian
CVE-2026-26965: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-26965 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-26965 freerdp: FreeRDP: Arbitrary code execution via heap out-of-bounds write in RLE planar decode path2026-02-26