CVE Catalog

CVE-2026-45700

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

37th percentile — higher than 37% of all known CVEs

Summary

FreeRDP before version 3.26.0 has a heap out-of-bounds write vulnerability in the planar bitmap decoder. The flaw in freerdp_bitmap_decompress_planar() improperly validates destination coordinates, allowing an attacker to write past the end of the internal pTempData buffer.

Risk Assessment

An attacker can remotely crash the FreeRDP client or potentially execute arbitrary code in the process context, leading to system compromise.

Recommendation

Upgrade FreeRDP to version 3.26.0 or later immediately, which contains the fix for this vulnerability.

Original NVD description (English source)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS