Out-of-bounds read in FreeRDP - #VU137828
Published: July 16, 2026
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in update_process_glyph_fragments() and glyph_cache_fragment_put() when processing GLYPH_FRAGMENT_ADD data from an RDP server. A remote attacker can send a short GLYPH_FRAGMENT_ADD payload with a larger declared fragment size to cause a denial of service.
The demonstrated impact is a client-side crash, and no attacker-controlled write primitive, remote code execution, or direct information disclosure beyond the out-of-bounds read was confirmed.