CVE-2026-45700
Severity CVSS v4.0:
HIGH
Type:
CWE-787
Out-of-bounds Write
Publication date:
29/05/2026
Last modified:
30/06/2026
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.
Impact
Base Score 4.0
7.70
Severity 4.0
HIGH
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* | 3.26.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh
- https://access.redhat.com/security/cve/CVE-2026-45700
- https://bugzilla.redhat.com/show_bug.cgi?id=2483470
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45700.json



