Heap Out-of-Bounds Read/Write in FreeRDP Remote Desktop Protocol Implementation
CVE-2026-29775

5.3MEDIUM

Key Information:

Vendor: Freerdp
Status: Freerdp
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-29775?

FreeRDP, an open-source implementation of the Remote Desktop Protocol, contains a vulnerability in its bitmap cache subsystem prior to version 3.24.0. This issue arises from an off-by-one error in the boundary check within the 'bitmap_cache_put' function, which leads to client-side heap out-of-bounds read/write operations. A malicious server can exploit this flaw by sending a CACHE_BITMAP_ORDER (Rev1) with a cacheId set to maxCells, effectively bypassing the guard and accessing the 'cells[]' array one element beyond the allocated size. This vulnerability has been addressed in version 3.24.0.

Affected Version(s)

FreeRDP < 3.24.0

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329ef...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29775 Data

JSON

Freerdp

What is CVE-2026-29775?

Affected Version(s)

References

CVSS V3.1

Timeline