Bug 2447380 (CVE-2026-31897)

Summary: CVE-2026-31897 freerdp: FreeRDP has an out-of-bounds read in `freerdp_bitmap_decompress_planar`
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An out of bounds read flaw has been discovered in FreeRDP. This Out-of-bounds read exists in the `freerdp_bitmap_decompress_planar` function when SrcSize is 0. This flaw may allow an attcker to read of 1 byte from heap memory in some situation. The more common and expected impact is a crash when the read hits an unmapped page.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2447425, 2447429, 2447417    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-13 18:04:17 UTC 
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.