CVE-2026-29775

Published: Mar 13, 2026Modified: Mar 17, 2026

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Exploitability: 3.9 / Impact: 4.2

Source: NVD

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.

Affected (1)

Products: Freerdp: Freerdp

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Freerdp Freerdp	Before 3.24.0

Related CWEs

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (3)

https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f

Source: security-advisories@github.com

Patch

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj

Source: security-advisories@github.com

ExploitPatchVendor Advisory

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitPatchVendor Advisory

Timeline

No history available yet.