Out-of-bounds read in FreeRDP - #VU137844
Published: July 16, 2026
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the RDP6 planar bitmap RLE decoder functions planar_decompress_plane_rle() and planar_decompress_plane_rle_only() when parsing a truncated planar-encoded bitmap or surface update from an RDP server. A remote attacker can send a specially crafted planar-encoded update to cause a denial of service and disclose sensitive information.
User interaction is required because a client must connect to a malicious or compromised RDP server, and the issue is reachable through both the classic bitmap update PDU path and the RDPGFX surface command path.