CVE-2026-26965

{"id": "CVE-2026-26965", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-25T21:16:43.047", "references": [{"url": "https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop \u2264 128\u00d7128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data \u2014 control-flow\u2013relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability."}, {"lang": "es", "value": "FreeRDP es una implementaci\u00f3n gratuita del Protocolo de Escritorio Remoto. Antes de la versi\u00f3n 3.23.0, en la ruta de decodificaci\u00f3n planar RLE, planar_decompress_plane_rle() escribe en pDstData en ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel sin verificar que (nYDst+nSrcHeight) encaje en la altura de destino o que (nXDst+nSrcWidth) encaje en el paso de destino. Cuando TempFormat != DstFormat, pDstData se convierte en planar->pTempData (dimensionado para el escritorio), mientras que nYDst solo se valida contra la superficie mediante is_within_surface(). Un servidor RDP malicioso puede explotar esto para realizar una escritura fuera de l\u00edmites en el heap con un desplazamiento y datos de p\u00edxeles controlados por el atacante en cualquier cliente FreeRDP que se conecte. La escritura OOB alcanza hasta 132.096 bytes m\u00e1s all\u00e1 del final del b\u00fafer temporal, y en el heap brk (escritorio ? 128\u00d7128), el puntero de funci\u00f3n decode de una estructura NSC_CONTEXT adyacente se sobrescribe con datos de p\u00edxeles controlados por el atacante \u2014 corrupci\u00f3n relevante para el flujo de control (puntero de funci\u00f3n sobrescrito) demostrada bajo un dise\u00f1o de heap determinista (nsc->decode = 0xFF414141FF414141). La versi\u00f3n 3.23.0 corrige la vulnerabilidad."}], "lastModified": "2026-02-27T14:49:57.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31715854-6D23-4207-AB69-27707C7B2D42", "versionEndExcluding": "3.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}