How is CVE-2026-45700 exploited?

Network reachability (required): The attacker reaches the victim over the network by serving crafted RDP planar bitmap data from a malicious or compromised RDP server. Authentication (not-required): No credentials on the victim system are needed; the decoder bug is hit during normal session handling. Victim interaction (required): A user must initiate or accept an RDP session to the attacker-controlled endpoint, so the vector is phishing-style social engineering toward an RDP connection. Attack complexity (info): AC:L indicates the exploit path through the planar decoder is reliable, though AT:P notes some attack requirements on the target environment.

What is the impact of CVE-2026-45700?

Writes past the end of the pTempData heap buffer inside the FreeRDP client process, corrupting adjacent heap structures. With CVC:H/VI:H this typically escalates to arbitrary code execution in the context of the user running the RDP client. Crashes or hangs the FreeRDP client (VA:H), terminating the active remote session and any unsaved work tied to it. Impact is confined to the vulnerable client process; the CVSS subsequent-system scores are all None.

Back to search

HIGHCVE-2026-45700Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45700: Heap-buffer-overflow write in planar bitmap decoder

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A heap buffer overflow in FreeRDP's planar bitmap decoder lets a remote attacker write past the end of an internal temp buffer when decoding crafted RLE planar data. The bug is reachable over the network without authentication, but the victim must initiate or accept a session against an attacker-controlled RDP endpoint, and successful exploitation can corrupt heap memory leading to crashes or code execution in the FreeRDP client process. A patched-image rebuild at FreeRDP 3.26.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-45700 is ingested from upstream feeds within minutes of publication and matched against FreeRDP packages in customer registry images and build pipelines. Coverage extends to custom-built images that bundle libfreerdp, not just vendor base images.

Available

Triage

Triage is available with the published CVSS v4.0 score of 7.7 (High), reweighted per environment against each customer's compliance policy so that internet-exposed or developer-workstation workloads can be escalated above back-office ones. Findings route to the configured security inbox inside each customer org with the affected image, layer, and package version attached.

Available

Patch

A patched-image rebuild at FreeRDP 3.26.0 becomes available on HarborGuard as soon as fixed upstream packages land in distro feeds. For customers who opt into auto-remediation, HarborGuard rebuilds the affected images, runs the configured regression suite, and opens a pull request against the workloads pinned to the vulnerable version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker reaches the victim over the network by serving crafted RDP planar bitmap data from a malicious or compromised RDP server.
AuthenticationNot required
No credentials on the victim system are needed; the decoder bug is hit during normal session handling.
Victim interactionRequired
A user must initiate or accept an RDP session to the attacker-controlled endpoint, so the vector is phishing-style social engineering toward an RDP connection.
Attack complexityDetail
AC:L indicates the exploit path through the planar decoder is reliable, though AT:P notes some attack requirements on the target environment.

Blast Radius

Writes past the end of the pTempData heap buffer inside the FreeRDP client process, corrupting adjacent heap structures.
With CVC:H/VI:H this typically escalates to arbitrary code execution in the context of the user running the RDP client.
Crashes or hangs the FreeRDP client (VA:H), terminating the active remote session and any unsaved work tied to it.
Impact is confined to the vulnerable client process; the CVSS subsequent-system scores are all None.

How HarborGuard Handles This

Available on HarborGuard: images containing FreeRDP below 3.26.0 are flagged against CVE-2026-45700, and a rebuilt image at 3.26.0 is published as soon as fixed packages reach distro feeds. For customers who opt into auto-remediation, HarborGuard rebuilds affected images, runs the regression suite, and opens a PR against pinned workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy delays the rebuild, compensating controls worth considering include restricting outbound RDP egress to known servers and gating FreeRDP-based tooling behind a feature flag until the upgrade lands.

See how HarborGuard automates this

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

FreeRDP / FreeRDP
< 3.26.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh