CVE-2026-29774 Overview
CVE-2026-29774 is a client-side heap buffer overflow vulnerability affecting FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The vulnerability exists in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates.
A malicious RDP server can exploit this vulnerability by sending specially crafted WIRE_TO_SURFACE_PDU_1 packets containing AVC420 codec data with regionRects entries where the left coordinate greatly exceeds the surface width. This triggers unchecked pointer arithmetic that writes data far beyond the allocated heap region, potentially causing denial of service or allowing arbitrary code execution on vulnerable clients.
Critical Impact
Attackers controlling a malicious RDP server can trigger heap buffer overflow on connecting FreeRDP clients, potentially leading to remote code execution or denial of service with no authentication required.
Affected Products
- FreeRDP versions prior to 3.24.0
- Applications and distributions using vulnerable FreeRDP client libraries
- Systems connecting to untrusted RDP servers using FreeRDP-based clients
Discovery Timeline
- 2026-03-13 - CVE-2026-29774 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-29774
Vulnerability Analysis
The vulnerability stems from insufficient input validation in FreeRDP's H.264 video codec processing path. Specifically, the clamp() function in yuv.c (line 347) only validates top/bottom coordinates against the surface/YUV height, but critically neglects to check left/right coordinates against the surface width.
When the avc420_yuv_to_rgb function (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic. The destination pointer calculation pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4 can result in memory addresses that extend far beyond the allocated surface buffer when left contains malicious values.
This out-of-bounds write vulnerability (CWE-787) allows writing 16-byte SSE vectors approximately 1888+ bytes past the allocated heap region, creating conditions for heap corruption, application crashes, or potential arbitrary code execution.
Root Cause
The root cause is the absence of horizontal bounds validation in the rectangle clipping logic. While vertical bounds (top/bottom) are properly validated against surface height, the horizontal bounds (left/right) are never compared against the surface width before being used in pointer arithmetic calculations. This oversight allows an attacker to supply coordinates that exceed the actual buffer boundaries.
Attack Vector
An attacker operates a malicious RDP server that waits for FreeRDP clients to connect. When a victim connects, the server sends a crafted WIRE_TO_SURFACE_PDU_1 packet with AVC420 codec containing a regionRects entry with an excessively large left value (e.g., left=60000 on a 128-pixel wide surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb, which computes the corrupted destination pointer and writes beyond the heap allocation.
The security patch introduces proper rectangle validation before use:
return yuv_ensure_buffer(h264, stride, width, height);
}
+static BOOL isRectValid(UINT32 width, UINT32 height, const RECTANGLE_16* rect)
+{
+ WINPR_ASSERT(rect);
+ if (rect->left > width)
+ return FALSE;
+ if (rect->right > width)
+ return FALSE;
+ if (rect->left >= rect->right)
+ return FALSE;
+ if (rect->top > height)
+ return FALSE;
+ if (rect->bottom > height)
+ return FALSE;
+ if (rect->top >= rect->bottom)
+ return FALSE;
+ return TRUE;
+}
+static BOOL areRectsValid(UINT32 width, UINT32 height, const RECTANGLE_16* rects, UINT32 count)
+{
+ WINPR_ASSERT(rects || (count == 0));
+ for (size_t x = 0; x < count; x++)
+ {
+ const RECTANGLE_16* rect = &rects[x];
+ if (!isRectValid(width, height, rect))
+ return FALSE;
+ }
Source: GitHub Commit Details
Detection Methods for CVE-2026-29774
Indicators of Compromise
- FreeRDP client crashes or unexpected termination during RDP sessions
- Heap corruption errors in FreeRDP-related processes
- Connections to unknown or untrusted RDP servers with unusual AVC420/AVC444 codec negotiation
- Abnormal memory access patterns in yuv.c or h264.c codec processing
Detection Strategies
- Monitor FreeRDP client processes for crash events and heap corruption signatures
- Implement network inspection for RDP traffic containing unusually large regionRects coordinate values in WIRE_TO_SURFACE_PDU_1 packets
- Deploy endpoint protection solutions that detect heap overflow exploitation attempts
- Audit systems for FreeRDP versions prior to 3.24.0
Monitoring Recommendations
- Enable crash dump collection for FreeRDP client processes to capture exploitation attempts
- Configure SIEM rules to alert on repeated FreeRDP client crashes from specific server connections
- Monitor for connections to unrecognized RDP endpoints that could indicate attacker-controlled servers
- Use SentinelOne's behavioral AI to detect memory corruption exploitation patterns
How to Mitigate CVE-2026-29774
Immediate Actions Required
- Upgrade FreeRDP to version 3.24.0 or later immediately
- Audit all systems using FreeRDP client libraries and prioritize patching
- Restrict RDP client connections to trusted, known servers only
- Consider disabling AVC420/AVC444 codec support as a temporary measure until patching is complete
Patch Information
FreeRDP has released version 3.24.0 which includes the fix for this vulnerability. The patch adds the isRectValid() and areRectsValid() functions in libfreerdp/codec/h264.c to properly validate rectangle coordinates against both width and height before use in pointer arithmetic.
For detailed patch information, refer to the GitHub Security Advisory GHSA-5q35-hv9x-7794 and the commit 6482b7a.
Workarounds
- Restrict RDP connections to trusted servers only using firewall rules or network segmentation
- Disable H.264/AVC codec support in FreeRDP client configuration if not required
- Use network monitoring to detect and block connections to unknown RDP servers
- Deploy endpoint protection solutions capable of detecting heap overflow exploitation
# Verify FreeRDP version and upgrade if necessary
xfreerdp --version
# Output should show version 3.24.0 or higher
# For package-managed installations, update FreeRDP
# Debian/Ubuntu
sudo apt update && sudo apt upgrade freerdp2-x11
# Fedora/RHEL
sudo dnf update freerdp
# Build from source with the security fix
git clone https://github.com/FreeRDP/FreeRDP.git
cd FreeRDP
git checkout 3.24.0
cmake -B build && cmake --build build
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
