CVE-2026-26965

HighPublic PoC

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 10.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26965 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this heap buffer overflow by mandating patching of vulnerable FreeRDP versions prior to 3.23.0.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protections like ASLR and DEP that minimize the exploitability of heap out-of-bounds writes, such as overwriting adjacent NSC_CONTEXT function pointers.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of RDP planar RLE input dimensions against destination buffer sizes, preventing the unvalidated writes in planar_decompress_plane_rle() that enable the overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in FreeRDP client (planar RLE decode) enables RCE via crafted data from malicious RDP server when user initiates connection; directly maps to client-side exploitation for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination…

height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.

Deeper analysisAI

CVE-2026-26965 is a heap-based buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.23.0. The issue resides in the RLE planar decode path within the `planar_decompress_plane_rle()` function, which writes into `pDstData` at an offset of `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `nYDst+nSrcHeight` fits within the destination height or that `nXDst+nSrcWidth` fits within the destination stride. When `TempFormat != DstFormat`, `pDstData` points to `planar->pTempData`, sized for the desktop, while `nYDst` is only validated against the surface by `is_within_surface()`. This flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-787 (Out-of-bounds Write).

A malicious RDP server can exploit this vulnerability against any connecting FreeRDP client by sending crafted planar RLE data, triggering a heap out-of-bounds write with attacker-controlled offset and pixel data. The overflow extends up to 132,096 bytes past the end of the temp buffer; on the brk heap with a desktop size of 128×128 or smaller, it can corrupt an adjacent `NSC_CONTEXT` struct by overwriting its `decode` function pointer with controlled pixel data, enabling control-flow hijacking. Exploitation requires user interaction, such as initiating an RDP connection to the attacker's server, but needs no privileges and can be performed over the network with low complexity.

FreeRDP version 3.23.0 addresses the vulnerability with a fix detailed in the commit at https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc. Additional guidance is available in the security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h, which security practitioners should consult for patching and verification steps.

Details

CWE(s): CWE-787

Affected Products

freerdp

≤ 3.23.0

CVEs Like This One

CVE-2026-26955Same product: Freerdp Freerdp

CVE-2026-22852Same product: Freerdp Freerdp

CVE-2026-29774Same product: Freerdp Freerdp

CVE-2026-25997Same product: Freerdp Freerdp

CVE-2026-23533Same product: Freerdp Freerdp

CVE-2026-25953Same product: Freerdp Freerdp

CVE-2026-25959Same product: Freerdp Freerdp

CVE-2026-23883Same product: Freerdp Freerdp

CVE-2026-22859Same product: Freerdp Freerdp

CVE-2026-23532Same product: Freerdp Freerdp

References

https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc
Patch · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h
Exploit, Mitigation, Patch, Vendor Advisory · security-advisories@github.com