CVE-2026-29775
Published: 13 March 2026
Summary
CVE-2026-29775 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29775 is a client-side heap out-of-bounds read/write vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). It affects versions prior to 3.24.0 and stems from an off-by-one boundary check error in the bitmap_cache_put function within FreeRDP's bitmap cache subsystem. Specifically, a CACHE_BITMAP_ORDER (Rev1) message with a cacheId equal to maxCells can bypass the guard, allowing access to one element past the allocated cells[] array.
The vulnerability can be exploited by a malicious RDP server against a connecting FreeRDP client over the network with low complexity, no privileges, and no user interaction required. Successful exploitation triggers the heap out-of-bounds access, resulting in limited availability impact such as potential client denial of service, as indicated by the CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). It is associated with CWE-787 (Out-of-bounds Write).
The issue is addressed in FreeRDP version 3.24.0, where the boundary check is fixed. Relevant resources include the patching commit at https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f and the GitHub Security Advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj, which detail the flaw and resolution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12057
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1)…
more
with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Client-side OOB write in FreeRDP triggered by malicious RDP server directly enables application exploitation resulting in DoS (matches T1499.004 description and CVSS A:L impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (FreeRDP 3.24.0) that corrects the off-by-one boundary check in bitmap_cache_put.
Mandates validation of untrusted RDP protocol messages (CACHE_BITMAP_ORDER Rev1 cacheId) to prevent the out-of-bounds array access.
Requires memory-protection mechanisms that can contain or block the heap out-of-bounds read/write resulting from the flawed bitmap cache logic.