VYPR
← All advisories
High severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45700

CVE-2026-45700

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FreeRDP's planar bitmap decoder has a heap-buffer-overflow write in RLE planar data decoding, fixed in 3.26.0.

Vulnerability

In FreeRDP prior to 3.26.0, the planar bitmap decoder in libfreerdp/codec/planar.c contains an out-of-bounds heap write. The function freerdp_bitmap_decompress_planar() validates the X destination coordinate (nXDst) against the caller-provided destination stride (nDstStep) even when writing into the internal temporary buffer pTempData. An attacker can bypass this check by supplying a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. The bug was introduced in commit a0be5cb87d760bb1c803ad1bb835aa1e73e62abc and affects all versions before 3.26.0 [1].

Exploitation

An attacker needs to provide a crafted planar bitmap with specific parameters (e.g., nDstStep = 28032, nXDst = 6000, nSrcWidth = 4, bpp = 4) that cause the bounds check to pass while the actual write offset exceeds the allocated pTempData buffer. The attacker must be able to supply malicious RLE planar data to a 3rd party application that uses FreeRDP's planar decoder. No authentication or special network position is required beyond the ability to send the crafted bitmap [1].

Impact

Successful exploitation results in a heap-buffer-overflow write, which can corrupt adjacent heap memory. This may lead to arbitrary code execution or denial of service in the context of the application using the vulnerable decoder. Note that FreeRDP's own server and client are not affected; only third-party implementations that integrate the planar decoder are at risk [1].

Mitigation

The vulnerability is fixed in FreeRDP version 3.26.0, released on 2026-05-29. Users should upgrade to this version or later. No workaround is available for earlier versions [1].

References
  1. Heap-buffer-overflow write in planar bitmap decoder

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Freerdp/Freerdpinferred2 versions
    <3.26.0+ 1 more
    • (no CPE)range: <3.26.0
    • (no CPE)range: <3.26.0

Patches

3
4a065a941ae1

[codec,planar] fix bounds checks

https://github.com/freerdp/freerdpArmin NovakApr 30, 2026Fixed in 3.26.0via llm-release-walk
commit
1 file changed · +2 2
  • libfreerdp/codec/planar.c+2 2 modified
    @@ -966,12 +966,12 @@ BOOL freerdp_bitmap_decompress_planar(BITMAP_PLANAR_CONTEXT* WINPR_RESTRICT plan
 				return FALSE;
 			}
 
-			if ((nXDst + nSrcWidth) * bpp > nDstStep)
+			if ((nXDst + nSrcWidth) * bpp > nTempStep)
 			{
 				WLog_ERR(TAG,
 				         "planar plane destination (X %" PRIu32 " + width %" PRIu32
 				         ") * bpp %" PRIu32 " exceeds stride %" PRIu32,
-				         nXDst, nSrcWidth, bpp, nDstStep);
+				         nXDst, nSrcWidth, bpp, nTempStep);
 				return FALSE;
 			}
f951d8677ce6

[gdi,gfx] fix bounds checks

https://github.com/freerdp/freerdpArmin NovakApr 30, 2026Fixed in 3.26.0via llm-release-walk
commit
1 file changed · +5 3
  • libfreerdp/gdi/gfx.c+5 3 modified
    @@ -1659,10 +1659,12 @@ static UINT gdi_CacheToSurface(RdpgfxClientContext* context,
 		if (!is_rect_valid(&rect, surface->width, surface->height))
 			goto fail;
 
+		const UINT32 w = rect.right - rect.left;
+		const UINT32 h = rect.bottom - rect.top;
 		if (!freerdp_image_copy_no_overlap(surface->data, surface->format, surface->scanline,
-		                                   destPt->x, destPt->y, cacheEntry->width,
-		                                   cacheEntry->height, cacheEntry->data, cacheEntry->format,
-		                                   cacheEntry->scanline, 0, 0, nullptr, FREERDP_FLIP_NONE))
+		                                   destPt->x, destPt->y, w, h, cacheEntry->data,
+		                                   cacheEntry->format, cacheEntry->scanline, 0, 0, nullptr,
+		                                   FREERDP_FLIP_NONE))
 			goto fail;
 
 		invalidRect = rect;
a452eeb82946

[winpr,cmdline] define BoolValueFalse to nullptr

https://github.com/freerdp/freerdpArmin NovakApr 30, 2026Fixed in 3.26.0via llm-release-walk
commit
1 file changed · +1 1
  • winpr/include/winpr/cmdline.h+1 1 modified
    @@ -94,7 +94,7 @@
 #define CommandLineSwitchEnd(_arg)
 
 #define BoolValueTrue WINPR_CXX_COMPAT_CAST(LPSTR, 1)
-#define BoolValueFalse WINPR_CXX_COMPAT_CAST(LPSTR, 0)
+#define BoolValueFalse WINPR_CXX_COMPAT_CAST(LPSTR, nullptr)
 
 typedef struct
 {

Vulnerability mechanics

Root cause

"Bounds check in `freerdp_bitmap_decompress_planar()` validates the X destination coordinate against the caller-provided stride `nDstStep` instead of the internal temp buffer stride `nTempStep`, allowing an out-of-bounds heap write."

Attack vector

An attacker-controlled RDP server sends crafted planar bitmap data with a large `nDstStep` (destination stride) and a large `nXDst` (X coordinate). The buggy check compares `(nXDst + nSrcWidth) * bpp` against `nDstStep` instead of `nTempStep`, so the check passes even though the computed offset exceeds the temp buffer's size. During RLE decoding, the write offset lands past the end of `pTempData`, causing a heap-buffer-overflow write. The attacker controls both the write offset (via `nXDst`) and the written bytes (via the RLE stream), potentially enabling code execution.

Affected code

The bug resides in `libfreerdp/codec/planar.c` in the function `freerdp_bitmap_decompress_planar()`. The bounds check at line 969 validates `nXDst` against the caller-provided destination stride `nDstStep` even when the code writes into the internal temp buffer `pTempData`, which uses stride `nTempStep`. This mismatch allows an attacker to bypass the check and cause `planar_decompress_plane_rle()` to write past the end of `pTempData`.

What the fix does

The patch changes the bounds check from `nDstStep` to `nTempStep` on line 969 of `libfreerdp/codec/planar.c`, and updates the corresponding error log message. When the temp-buffer code path is active, writes go to `pTempData` whose stride is `nTempStep`, not the caller's `nDstStep`. By validating against the correct stride, the check now correctly rejects inputs where the destination offset would exceed the temp buffer allocation, preventing the out-of-bounds write.

Preconditions

  • networkThe attacker must control an RDP server that sends crafted planar bitmap data to a client using the FreeRDP planar decoder in the RDPGFX planar path.
  • inputThe temp-buffer code path must be taken (writes go to pTempData with stride nTempStep), which occurs when nDstWidth is much larger than nSrcWidth.
  • inputThe attacker must supply a large nDstStep (larger than nTempStep) and a large nXDst such that (nXDst + nSrcWidth) * bpp passes the buggy check against nDstStep but exceeds nTempStep.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.