Out-of-bounds read in FreeRDP - #VU137829
Published: July 16, 2026
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an over-read caused by improper stream length handling in the gateway WebSocket transport when processing server-sent ping control frames. A remote attacker can send a specially crafted ping frame to disclose sensitive information.
The client sends a Pong whose payload may include bytes beyond the received Ping payload, and the peer can recover the masked payload because it receives the WebSocket masking key.