SB2026061743 - Out-of-bounds write in FreeRDP

Security Bulletin ID SB2026061743

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Out-of-bounds write (CVE-ID: N/A)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in FreeRDP RemoteFX (RFX) Cache Bitmap V3 decode in gdi_Bitmap_Decompress when processing a Cache Bitmap V3 secondary drawing order from an RDP server with codecID=0x03. A remote attacker can send a specially crafted RDP response to execute arbitrary code.

User interaction is required because the victim must connect to the malicious or compromised RDP server. The issue is reachable only after connection is established and only when the non-default /cache:codec:rfx client flag is enabled.

Remediation

Install update from vendor's website.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c495-h83v-3prp