CVE-2026-26965 Overview
FreeRDP, a free implementation of the Remote Desktop Protocol, contains a heap out-of-bounds write vulnerability in the RLE planar decode path prior to version 3.23.0. The planar_decompress_plane_rle() function writes into pDstData at calculated offsets without properly verifying that the destination coordinates fit within the allocated buffer bounds. Specifically, the function fails to verify that (nYDst+nSrcHeight) fits in the destination height or that (nXDst+nSrcWidth) fits in the destination stride.
When TempFormat differs from DstFormat, pDstData becomes planar->pTempData (sized for the desktop), while nYDst is only validated against the surface by is_within_surface(). This discrepancy allows a malicious RDP server to exploit this vulnerability to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client.
Critical Impact
A malicious RDP server can achieve control-flow corruption by overwriting function pointers in adjacent heap structures. The out-of-bounds write can reach up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent NSC_CONTEXT struct's decode function pointer can be overwritten with attacker-controlled pixel data, potentially leading to remote code execution.
Affected Products
- FreeRDP versions prior to 3.23.0
- Applications and systems using vulnerable FreeRDP libraries
- FreeRDP-based RDP clients connecting to untrusted servers
Discovery Timeline
- 2026-02-25 - CVE-2026-26965 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-26965
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-bounds Write), a memory corruption flaw in the planar codec decompression functionality. The root issue lies in the planar_decompress_plane_rle() function within libfreerdp/codec/planar.c, which performs pixel data decompression without adequate bounds checking.
The vulnerability is network-exploitable and requires user interaction (connecting to a malicious RDP server). Once a victim client connects, the attacker has control over the RLE-encoded pixel data sent to the client, allowing precise manipulation of the out-of-bounds write location and content. The demonstrated exploitation shows control-flow corruption where the nsc->decode function pointer is overwritten with attacker-controlled values (e.g., 0xFF414141FF414141), indicating potential for arbitrary code execution.
Root Cause
The root cause is a missing destination bounds validation in the planar decompression routine. The function calculates write offsets using ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel but only validates coordinates against the surface dimensions via is_within_surface(), not against the actual allocated buffer size. When temporary buffer paths are used (TempFormat != DstFormat), the pTempData buffer may be smaller than what the surface dimensions would suggest, creating the out-of-bounds condition.
Attack Vector
The attack is network-based and requires social engineering or a man-in-the-middle scenario to direct a FreeRDP client to connect to a malicious RDP server. The attacker-controlled server sends specially crafted RLE-encoded planar data that triggers the out-of-bounds write. By controlling both the offset calculation (via nYDst, nXDst, and related parameters) and the pixel data content, an attacker can:
- Write up to 132,096 bytes beyond the allocated temp buffer
- Target adjacent heap structures such as NSC_CONTEXT
- Overwrite function pointers to achieve control-flow hijacking
- Potentially execute arbitrary code on the victim's system
if (planar->maxHeight < nSrcHeight)
return FALSE;
+ const UINT32 bpp = FreeRDPGetBytesPerPixel(DstFormat);
if (nDstStep <= 0)
- nDstStep = nDstWidth * FreeRDPGetBytesPerPixel(DstFormat);
+ nDstStep = nDstWidth * bpp;
const BYTE* srcp = pSrcData;
Source: GitHub Commit a0be5cb
Detection Methods for CVE-2026-26965
Indicators of Compromise
- Unusual crash dumps or memory corruption errors from FreeRDP client processes
- Unexpected function pointer values in heap memory analysis (e.g., patterns like 0xFF414141FF414141 in NSC_CONTEXT structures)
- RDP connections to unfamiliar or suspicious server addresses
- Process behavior anomalies following RDP session establishment
Detection Strategies
- Monitor FreeRDP client processes for memory access violations or segmentation faults during RDP sessions
- Deploy endpoint detection rules to identify heap corruption patterns associated with out-of-bounds writes
- Analyze network traffic for malformed RDP planar encoding data that exceeds expected dimensions
- Use memory integrity monitoring tools to detect function pointer corruption in heap allocations
Monitoring Recommendations
- Enable detailed logging for FreeRDP client connections, including server addresses and session events
- Configure endpoint protection to alert on abnormal memory access patterns in RDP client applications
- Implement network monitoring to detect connections to untrusted or newly registered RDP server addresses
- Review crash reports and error logs from FreeRDP-based applications for signs of exploitation attempts
How to Mitigate CVE-2026-26965
Immediate Actions Required
- Upgrade FreeRDP to version 3.23.0 or later immediately
- Audit all systems and applications that depend on FreeRDP libraries for vulnerable versions
- Avoid connecting FreeRDP clients to untrusted or unknown RDP servers until patched
- Implement network segmentation to limit exposure of RDP clients to potentially malicious servers
- Review and update third-party applications that bundle FreeRDP components
Patch Information
The vulnerability is fixed in FreeRDP version 3.23.0. The patch adds proper destination bounds validation in the planar decompression code to ensure write operations cannot exceed allocated buffer boundaries. Organizations should update to this version or apply the security patch from the GitHub commit. For additional details, refer to the GitHub Security Advisory GHSA-5vgf-mw4f-r33h.
Workarounds
- Restrict RDP client connections to trusted, verified servers only via network policies or firewall rules
- Deploy application whitelisting to prevent execution of compromised FreeRDP binaries
- Use VPN or secure tunnels when connecting to remote RDP servers to reduce exposure to rogue servers
- Consider disabling planar codec support if not required (may impact visual quality)
# Configuration example
# Restrict FreeRDP connections to trusted servers only
# Add to firewall rules or network policy
# Example iptables rule to allow RDP only to known servers
iptables -A OUTPUT -p tcp --dport 3389 -d trusted-rdp-server.example.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3389 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
