CVE-2026-45700: FreeRDP Buffer Overflow Vulnerability

CVE-2026-45700 Overview

CVE-2026-45700 is an out-of-bounds heap write vulnerability in FreeRDP, a widely used open-source implementation of the Remote Desktop Protocol (RDP). The flaw resides in the planar bitmap decoder in libfreerdp/codec/planar.c. When decoding Run-Length Encoded (RLE) planar data, freerdp_bitmap_decompress_planar() improperly validates the X destination coordinate nXDst against the caller-supplied destination stride nDstStep, even when writing into the internal pTempData buffer. An attacker controlling a malicious RDP server can supply crafted bitmap data to trigger writes past the end of the heap-allocated buffer. The issue is fixed in FreeRDP 3.26.0.

Critical Impact

A malicious RDP server can corrupt heap memory in connected FreeRDP clients, leading to crashes or potential remote code execution against high-value confidentiality, integrity, and availability targets.

Affected Products

• FreeRDP versions prior to 3.26.0
• Applications and distributions embedding the FreeRDP libfreerdp codec library
• Linux, macOS, and Windows RDP clients built on FreeRDP

Discovery Timeline

• 2026-05-29 - CVE-2026-45700 published to NVD
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-45700

Vulnerability Analysis

The vulnerability is classified under [CWE-787] Out-of-Bounds Write. FreeRDP's planar bitmap decoder processes compressed bitmap updates received from an RDP server. The function freerdp_bitmap_decompress_planar() orchestrates decoding into either a caller-supplied destination buffer or an internal temporary buffer named pTempData.

The bounds check compares the destination X coordinate nXDst against nDstStep, a stride value derived from caller-supplied parameters. This check is appropriate when output is written to the caller buffer, but it is reused for writes into pTempData, whose size does not depend on nDstStep. An RDP server can therefore advertise an oversized nDstStep paired with a large nXDst, satisfying the check while pointing writes far beyond the temporary buffer's actual allocation.

Subsequent calls to planar_decompress_plane_rle() decode attacker-controlled RLE byte streams directly past the end of pTempData, corrupting adjacent heap structures. Because the attack vector is network-based and requires only that a victim connect to a hostile RDP endpoint, exploitation aligns with the documented Vulnerable System impact profile.

Root Cause

The root cause is an incorrect bounds-check assumption: a single validation path treats nDstStep as authoritative for the size of both the external destination and the internal pTempData buffer. The two buffers have independent sizes, so server-controlled stride values let attackers bypass the guard.

Attack Vector

An attacker hosts or compromises an RDP server and induces a victim to initiate a connection, for example through a phishing link, malicious .rdp file, or hijacked bookmark. Once the client connects, the server transmits a crafted planar bitmap update that triggers the out-of-bounds write inside the FreeRDP client process.

The vulnerability manifests during RLE planar decoding in libfreerdp/codec/planar.c. Refer to the FreeRDP GHSA-mpxh-8fq3-x8mh advisory for the upstream patch details.

Detection Methods for CVE-2026-45700

Indicators of Compromise

• Unexpected crashes or segmentation faults in FreeRDP-based clients (xfreerdp, wlfreerdp, mstsc-compatible wrappers) shortly after connecting to a remote host.
• Outbound RDP (TCP/3389) connections from user endpoints to untrusted or newly observed external IP addresses.
• Core dumps from FreeRDP processes containing heap corruption signatures near planar_decompress_plane_rle frames.

Detection Strategies

• Inventory installed FreeRDP packages and embedded libraries; flag any version below 3.26.0 for remediation.
• Inspect RDP session telemetry for clients connecting to non-corporate RDP servers, particularly over the public internet.
• Enable AddressSanitizer or heap hardening (e.g., glibc tcache checks) in development and staging builds to surface the out-of-bounds write during fuzz testing.

Monitoring Recommendations

• Alert on FreeRDP client processes that terminate abnormally after establishing an RDP session.
• Monitor egress firewall logs for RDP traffic originating from workstations to atypical destinations and correlate with user activity.
• Track package management events for FreeRDP upgrades to confirm fleet-wide remediation to 3.26.0 or later.

How to Mitigate CVE-2026-45700

Immediate Actions Required

• Upgrade FreeRDP and all dependent client applications to version 3.26.0 or later.
• Restrict outbound RDP connectivity from end-user endpoints to an allowlist of known internal jump hosts.
• Warn users against opening .rdp files or RDP links from untrusted sources until clients are patched.

Patch Information

The vulnerability is fixed in FreeRDP 3.26.0. The fix corrects the bounds-check logic in freerdp_bitmap_decompress_planar() so that writes into pTempData are validated against the temporary buffer's actual size rather than the caller-supplied nDstStep. Distribution maintainers should rebuild downstream packages against the patched release. Full details are available in the FreeRDP GitHub Security Advisory GHSA-mpxh-8fq3-x8mh.

Workarounds

• Block outbound TCP/3389 and UDP/3389 at the perimeter except to vetted RDP gateways.
• Route all RDP usage through a Remote Desktop Gateway that terminates and re-originates sessions, reducing direct exposure to malicious servers.
• Disable bitmap codecs or advanced graphics features in FreeRDP client configurations where operationally feasible until patching is complete.

# Verify the installed FreeRDP version and upgrade if below 3.26.0
xfreerdp --version

# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade freerdp2-x11 freerdp3-x11

# Fedora/RHEL
sudo dnf upgrade freerdp

# Restrict outbound RDP at the host firewall (Linux nftables example)
sudo nft add rule inet filter output tcp dport 3389 ip daddr != 10.0.0.0/8 drop