CVE Catalog

CVE-2026-23530

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile - higher than 35% of all known CVEs

Summary

In FreeRDP prior to version 3.21.0, the `freerdp_bitmap_decompress_planar` function does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk.

Risk Assessment

The organization is exposed to Denial of Service attacks and potential remote code execution via a malicious RDP server, which could lead to client machine compromise.

Recommendation

Upgrade FreeRDP to version 3.21.0 or later immediately, which contains the fix for this vulnerability.

Original NVD description (English source)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS