Incomplete Fix in FreeRDP GFX Pipeline Allows Truncated Payload Exploitation
CVE-2026-57158
5.1MEDIUM
What is CVE-2026-57158?
FreeRDP, an open-source implementation of the Remote Desktop Protocol, has a vulnerability in its GFX pipeline that stems from an incomplete fix for a prior issue. This flaw specifically affects FreeRDP clients from version 3.21.0 up to version 3.27.0. A malicious Remote Desktop Protocol (RDP) server can exploit this vulnerability by sending a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload. This could potentially allow the server to read beyond the intended input buffer, leading to unexpected behavior or disclosure of sensitive information. Users are urged to update to version 3.28.0 or later to mitigate this risk.
Affected Version(s)
FreeRDP >= 3.21.0, < 3.28.0
