CVE-2026-45700
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk37th percentile — higher than 37% of all known CVEs
Summary
FreeRDP before version 3.26.0 has a heap out-of-bounds write vulnerability in the planar bitmap decoder. The flaw in freerdp_bitmap_decompress_planar() improperly validates destination coordinates, allowing an attacker to write past the end of the internal pTempData buffer.
Risk Assessment
An attacker can remotely crash the FreeRDP client or potentially execute arbitrary code in the process context, leading to system compromise.
Recommendation
Upgrade FreeRDP to version 3.26.0 or later immediately, which contains the fix for this vulnerability.
Original NVD description (English source)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.

