Bug 2499159 (CVE-2026-55827)

Summary: CVE-2026-55827 FreeRDP: FreeRDP: Remote code execution via heap out-of-bounds write in RemoteFX decoding
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FreeRDP. FreeRDP clients using the non-default /cache:codec:rfx option are vulnerable to a heap out-of-bounds write. A malicious Remote Desktop Protocol (RDP) server can exploit this by manipulating desktop stride and height values during RemoteFX decoding for Cache Bitmap V3 data. This can lead to arbitrary code execution on the client system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2499223, 2499224, 2499227    
Bug Blocks:    

Description OSIDB Bzimport 2026-07-10 20:01:59 UTC
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.27.1, FreeRDP clients launched with the non-default /cache:codec:rfx option pass desktop stride and height to RemoteFX decoding for Cache Bitmap V3 data while allocating bitmap->data only for the smaller DstWidth and DstHeight in gdi_Bitmap_Decompress, allowing a malicious RDP server to trigger a heap out-of-bounds write with attacker-controlled offset and content. This issue is fixed in version 3.27.1.