CVE-2026-26965

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, planar_decompress_plane_rle() writes into pDstData at ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel without verifying that (nYDst+nSrcHeight) fits in the destination height or that (nXDst+nSrcWidth) fits in the destination stride. When TempFormat != DstFormat, pDstData becomes planar->pTempData (sized for the desktop), while nYDst is only validated against the surface by is_within_surface(). A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent NSC_CONTEXT struct's decode function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (nsc->decode = 0xFF414141FF414141). Version 3.23.0 fixes the vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-787"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26965.json"
}

References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type

GIT

Repo

https://github.com/freerdp/freerdp

Events

Introduced

Fixed

b933ae18d9ad2a1d73c610868fcc30eb61654070

Fixed

a0be5cb87d760bb1c803ad1bb835aa1e73e62abc

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.23.0"
        }
    ]
}

Affected versions

1.*

1.0-beta1

1.0-beta2

1.0-beta4

1.0-beta5

1.0.0

1.0.1

1.1.0-beta+2013071101

1.1.0-beta1

1.1.0-beta1+android2

1.1.0-beta1+android3

1.1.0-beta1+android4

1.1.0-beta1+android5

1.1.0-beta1+ios1

1.1.0-beta1+ios2

1.1.0-beta1+ios3

1.1.0-beta1+ios4

1.2.0-beta1+android7

1.2.0-beta1+android9

2.*

2.0.0

2.0.0-beta1+android10

2.0.0-beta1+android11

2.0.0-rc0

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

3.*

3.0.0

3.0.0-beta1

3.0.0-beta2

3.0.0-beta3

3.0.0-beta4

3.0.0-rc0

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

Database specific

vanir_signatures_modified

"2026-04-11T03:29:16Z"

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-26965.json"

vanir_signatures

[
    {
        "target": {
            "file": "libfreerdp/codec/planar.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "230404328755052612117100792242279847009",
                "219593616325865066555522329579803666192",
                "28534761997125986975824167068864609176",
                "187290154479599502016860071192389159910",
                "251808060201614952069729567090186929708",
                "134195184515631534545394903080960326961",
                "105899215744722344442582069370483357347",
                "192857596324214854618089700992196040489",
                "122161517804884565820976105431098500263"
            ]
        },
        "id": "CVE-2026-26965-77b59768",
        "source": "https://github.com/freerdp/freerdp/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc",
        "signature_type": "Line"
    }
]