CVE-2026-55827
HIGHFreeRDP: Heap out-of-bounds write in RemoteFX (RFX) Cache Bitmap V3 decode
Title source: cnaDescription
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.27.1, FreeRDP clients launched with the non-default /cache:codec:rfx option pass desktop stride and height to RemoteFX decoding for Cache Bitmap V3 data while allocating bitmap->data only for the smaller DstWidth and DstHeight in gdi_Bitmap_Decompress, allowing a malicious RDP server to trigger a heap out-of-bounds write with attacker-controlled offset and content. This issue is fixed in version 3.27.1.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c495-h83v-3prp
X_Refsource_Misc x_refsource_misc
https://github.com/FreeRDP/FreeRDP/pull/12899
X_Refsource_Misc x_refsource_misc
https://github.com/FreeRDP/FreeRDP/commit/e58adf922ea4c0d5495e59a1fe488d70092e0e3e
X_Refsource_Misc x_refsource_misc
https://github.com/FreeRDP/FreeRDP/releases/tag/3.27.1
Scores
CVSS v3
7.5
EPSS
0.0045
EPSS Percentile
36.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-131
CWE-787
Status
published
Products (2)
freerdp/freerdp
< 3.27.1
FreeRDP/FreeRDP
< 3.27.1
Published
Jul 10, 2026
Tracked Since
Jul 11, 2026