CVE-2026-23530
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
In FreeRDP prior to version 3.21.0, the `freerdp_bitmap_decompress_planar` function does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk.
Risk Assessment
The organization is exposed to Denial of Service attacks and potential remote code execution via a malicious RDP server, which could lead to client machine compromise.
Recommendation
Upgrade FreeRDP to version 3.21.0 or later immediately, which contains the fix for this vulnerability.
Original NVD description (English source)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

