Cyber Resilience

CVE-2026-29775

MediumPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0031 22.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-29775 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29775 is a client-side heap out-of-bounds read/write vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). It affects versions prior to 3.24.0 and stems from an off-by-one boundary check error in the bitmap_cache_put function within FreeRDP's bitmap cache subsystem. Specifically, a CACHE_BITMAP_ORDER (Rev1) message with a cacheId equal to maxCells can bypass the guard, allowing access to one element past the allocated cells[] array.

The vulnerability can be exploited by a malicious RDP server against a connecting FreeRDP client over the network with low complexity, no privileges, and no user interaction required. Successful exploitation triggers the heap out-of-bounds access, resulting in limited availability impact such as potential client denial of service, as indicated by the CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). It is associated with CWE-787 (Out-of-bounds Write).

The issue is addressed in FreeRDP version 3.24.0, where the boundary check is fixed. Relevant resources include the patching commit at https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f and the GitHub Security Advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj, which detail the flaw and resolution.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1)…

more

with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Client-side OOB write in FreeRDP triggered by malicious RDP server directly enables application exploitation resulting in DoS (matches T1499.004 description and CVSS A:L impact).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27951Same product: Freerdp Freerdp
CVE-2026-25942Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-26955Same product: Freerdp Freerdp
CVE-2026-24679Same product: Freerdp Freerdp
CVE-2026-45700Same product: Freerdp Freerdp
CVE-2026-26965Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-31884Same product: Freerdp Freerdp
CVE-2026-22852Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (FreeRDP 3.24.0) that corrects the off-by-one boundary check in bitmap_cache_put.

prevent

Mandates validation of untrusted RDP protocol messages (CACHE_BITMAP_ORDER Rev1 cacheId) to prevent the out-of-bounds array access.

prevent

Requires memory-protection mechanisms that can contain or block the heap out-of-bounds read/write resulting from the flawed bitmap cache logic.

References