Untriaged
Permalink
CVE-2026-55827
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
FreeRDP: Heap out-of-bounds write in RemoteFX (RFX) Cache Bitmap V3 decode
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.27.1, FreeRDP clients launched with the non-default /cache:codec:rfx option pass desktop stride and height to RemoteFX decoding for Cache Bitmap V3 data while allocating bitmap->data only for the smaller DstWidth and DstHeight in gdi_Bitmap_Decompress, allowing a malicious RDP server to trigger a heap out-of-bounds write with attacker-controlled offset and content. This issue is fixed in version 3.27.1.
References
-
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c495-h83v-3prp x_refsource_CONFIRMexploit
-
https://github.com/FreeRDP/FreeRDP/pull/12899 x_refsource_MISC
-
https://github.com/FreeRDP/FreeRDP/releases/tag/3.27.1 x_refsource_MISC
Affected products
FreeRDP
- ==< 3.27.1
Package maintainers
-
@cizra Elmo Todurov <todurov+nix@gmail.com>
-
@DeimElias Deim Elias <deimelias@gmail.com>