Bug 2442959 (CVE-2026-26965)

Summary: CVE-2026-26965 freerdp: FreeRDP: Arbitrary code execution via heap out-of-bounds write in RLE planar decode path
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FreeRDP. A malicious Remote Desktop Protocol (RDP) server can exploit a heap out-of-bounds write vulnerability in the RLE planar decode path. This flaw allows the server to write attacker-controlled data beyond the intended buffer, potentially overwriting critical program data such as function pointers. This could lead to arbitrary code execution on the connecting FreeRDP client.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2442971, 2442973, 2442975, 2442972, 2442974    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-26 06:01:49 UTC 
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and  on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
Comment 2 errata-xmlrpc 2026-03-26 11:34:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:5936 https://access.redhat.com/errata/RHSA-2026:5936
Comment 3 errata-xmlrpc 2026-03-26 12:16:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:5939 https://access.redhat.com/errata/RHSA-2026:5939
Comment 4 errata-xmlrpc 2026-03-30 01:40:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6005 https://access.redhat.com/errata/RHSA-2026:6005
Comment 5 errata-xmlrpc 2026-03-30 01:43:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:6004 https://access.redhat.com/errata/RHSA-2026:6004
Comment 6 errata-xmlrpc 2026-04-01 14:46:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:6384 https://access.redhat.com/errata/RHSA-2026:6384
Comment 7 errata-xmlrpc 2026-04-01 14:51:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:6385 https://access.redhat.com/errata/RHSA-2026:6385
Comment 8 errata-xmlrpc 2026-04-01 16:19:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:6395 https://access.redhat.com/errata/RHSA-2026:6395
Comment 9 errata-xmlrpc 2026-04-01 16:21:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:6396 https://access.redhat.com/errata/RHSA-2026:6396
Comment 10 errata-xmlrpc 2026-04-06 03:29:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:6616 https://access.redhat.com/errata/RHSA-2026:6616
Comment 11 errata-xmlrpc 2026-04-06 14:45:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:6665 https://access.redhat.com/errata/RHSA-2026:6665
Comment 12 errata-xmlrpc 2026-04-06 18:42:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:6712 https://access.redhat.com/errata/RHSA-2026:6712
Comment 13 errata-xmlrpc 2026-04-07 09:46:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:6764 https://access.redhat.com/errata/RHSA-2026:6764
Comment 14 errata-xmlrpc 2026-04-09 11:40:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:7292 https://access.redhat.com/errata/RHSA-2026:7292