CVE-2026-29774

EUVD-2026-12055

13.03.2026, 19:54

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates.  In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Affected Products (NVD)

Vendor	Product	Version
freerdp	freerdp	𝑥 < 3.24.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

freerdp2

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable

freerdp3

forky	3.26.0+dfsg-1 fixed
sid	3.26.0+dfsg-1 fixed
trixie	3.15.0+dfsg-2.1+deb13u3 fixed

openSUSE / SLES Releases

openSUSE Product

Release

freerdp

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

freerdp-devel

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 12 SP5	2.1.2-12.68.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

freerdp-proxy

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

freerdp-proxy-plugins

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

freerdp-sdl

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

freerdp-server

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

freerdp2

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

freerdp2-devel

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

freerdp2-proxy

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

freerdp2-server

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

libfreerdp-server-proxy3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

libfreerdp2-2

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

libfreerdp3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

librdtk0-0

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

libwinpr2-2

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

libwinpr3-3

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

winpr-devel

suse enterprise desktop 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise sap 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise server 15 SP7	3.10.3-150700.3.14.1 fixed
suse enterprise workstation 15 SP7	3.10.3-150700.3.14.1 fixed

winpr2-devel

suse enterprise desktop 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise sap 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise server 12 SP5	2.1.2-12.68.1 fixed
suse enterprise server 15 SP7	2.11.7-150700.3.22.1 fixed
suse enterprise workstation 15 SP7	2.11.7-150700.3.22.1 fixed

Amazon Linux Releases

Amazon Package

Release

freerdp

Amazon Linux 2	2:2.11.7-1.amzn2.0.9 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.8 fixed

freerdp-debuginfo

Amazon Linux 2	2:2.11.7-1.amzn2.0.9 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.8 fixed

freerdp-debugsource

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.8

fixed

freerdp-devel

Amazon Linux 2	2:2.11.7-1.amzn2.0.9 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.8 fixed

freerdp-libs

Amazon Linux 2	2:2.11.7-1.amzn2.0.9 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.8 fixed

freerdp-libs-debuginfo

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.8

fixed

freerdp-server

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.8

fixed

freerdp-server-debuginfo

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.8

fixed

libwinpr

Amazon Linux 2	2:2.11.7-1.amzn2.0.9 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.8 fixed

libwinpr-debuginfo

Amazon Linux 2023

2:3.6.3-1.amzn2023.0.8

fixed

libwinpr-devel

Amazon Linux 2	2:2.11.7-1.amzn2.0.9 fixed
Amazon Linux 2023	2:3.6.3-1.amzn2023.0.8 fixed

Known Exploits!

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://github.com/FreeRDP/FreeRDP/commit/6482b7a92fff3959582cef052d1967ad6bde3738

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5q35-hv9x-7794