CVE-2026-29775
Published: 13 March 2026
Summary
CVE-2026-29775 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Client-side OOB write in FreeRDP triggered by malicious RDP server directly enables application exploitation resulting in DoS (matches T1499.004 description and CVSS A:L impact).
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1)…
more
with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
Deeper analysisAI
CVE-2026-29775 is a client-side heap out-of-bounds read/write vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). It affects versions prior to 3.24.0 and stems from an off-by-one boundary check error in the bitmap_cache_put function within FreeRDP's bitmap cache subsystem. Specifically, a CACHE_BITMAP_ORDER (Rev1) message with a cacheId equal to maxCells can bypass the guard, allowing access to one element past the allocated cells[] array.
The vulnerability can be exploited by a malicious RDP server against a connecting FreeRDP client over the network with low complexity, no privileges, and no user interaction required. Successful exploitation triggers the heap out-of-bounds access, resulting in limited availability impact such as potential client denial of service, as indicated by the CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). It is associated with CWE-787 (Out-of-bounds Write).
The issue is addressed in FreeRDP version 3.24.0, where the boundary check is fixed. Relevant resources include the patching commit at https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f and the GitHub Security Advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj, which detail the flaw and resolution.
Details
- CWE(s)