CVE-2026-29775

MEDIUM

FreeRDP <3.24.0 - Memory Corruption

Title source: llm

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.

References (2)

[Vendor Advisory] https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj

[Patch] https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0008

EPSS Percentile 22.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-787

Status published

Products (2)

freerdp/freerdp < 3.24.0

FreeRDP/FreeRDP < 3.24.0

Published Mar 13, 2026

Tracked Since Mar 14, 2026