Out-of-bounds read in FreeRDP - #VU134507
Published: June 15, 2026
Vulnerability identifier: #VU134507
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: FreeRDP
Affected software:
FreeRDP
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.
The vulnerability exists due to out-of-bounds read in the FreeRDP client H.264 YUV-to-RGB conversion path when processing AVC420 or AVC444 GFX frames from a malicious RDP server with decoder and surface dimension mismatch. A remote attacker can send specially crafted RDP graphics data to disclose sensitive information or cause a denial of service.
Only client-side deployments using libfreerdp GFX H.264 decompression are affected, and exploitation requires RDPGFX with AVC420 or AVC444 negotiated and an H.264 decoder backend enabled.
Remediation
Install security update from vendor's website.