๐Ÿ” CVE Alert

CVE-2026-57158

UNKNOWN 0.0

FreeRDP planar_decompress_plane_rle_only: heap OOB read โ€” incomplete fix for CVE-2026-23530

CVSS Score
0.0
EPSS Score
0.7%
EPSS Percentile
49th

FreeRDP is a free implementation of the Remote Desktop Protocol. From 3.21.0 before 3.28.0, FreeRDP clients using the GFX pipeline contain an incomplete fix for CVE-2026-23530 in planar_decompress_plane_rle_only in libfreerdp/codec/planar.c, allowing a malicious RDP server to send a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload that reads one byte past the input buffer. This issue is fixed in version 3.28.0.

CWE CWE-125
Vendor freerdp
Product freerdp
Published Jul 10, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for freerdp freerdp

Be the first to know when new unknown vulnerabilities affecting freerdp freerdp are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

FreeRDP / FreeRDP
>= 3.21.0, < 3.28.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mp3f-59pg-c5pp github.com: https://github.com/FreeRDP/FreeRDP/pull/12952 github.com: https://github.com/FreeRDP/FreeRDP/commit/a7e797626fcb7f1d556ce63febb84f9f4a822731 github.com: https://github.com/FreeRDP/FreeRDP/releases/tag/3.28.0