CVE-2026-55827:
Wolfi Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-55827 is a heap out-of-bounds write vulnerability in FreeRDP's RemoteFX (RFX) Cache Bitmap V3 decode path, allowing a malicious or compromised RDP server to achieve a controlled instruction pointer ($pc) in a connecting client. It affects FreeRDP 2.x ≥ 2.0.0 (all 2.x releases through 2.11.7) and 3.x ≥ 3.0.0 through 3.27.0, and is fixed in version 3.27.1. The vulnerability was reported by Vitaly Simonovich and published on June 17, 2026. It carries a CVSS v3.1 score of 7.5 (High) for the demonstrated controlled-$pc primitive, with a denial-of-service floor score of 6.5 (FreeRDP Advisory).
Técnicas
The root cause is an incorrect buffer size calculation (CWE-131) combined with a heap out-of-bounds write (CWE-787) in libfreerdp/gdi/graphics.c. The function gdi_Bitmap_Decompress allocates bitmap->data sized to the small Cache-Bitmap-V3 wire dimensions (DstWidth * DstHeight * Bpp, e.g., 64×64×4 = 16,384 bytes), but passes the full desktop surface geometry (gdi->stride, gdi->height) as the write bound to rfx_process_message. The per-tile RFX blit then writes each tile row at bitmap->data + nYDst * gdi->stride, overflowing the allocation when nYDst is large enough. The attacker controls tile position via unvalidated xIdx/yIdx wire fields, and bitmapData->codecID and DstWidth/DstHeight are also read as unvalidated wire values. Exploitation requires the client to be launched with the non-default /cache:codec:rfx flag and to connect to an attacker-controlled server; it is post-connect, not pre-authentication (FreeRDP Advisory).
Impacto
A malicious or compromised RDP server can trigger a heap out-of-bounds write in a connecting FreeRDP client, with demonstrated end-to-end impact of a controlled instruction pointer ($pc) via forward-edge function pointer hijack at IFCALL(pointer->Free) — achieved 3/3 deterministically with ASLR defeated on aarch64. On depth-30 displays, the attacker can plant an arbitrary value into a live xfPointer->Free function pointer, enabling potential full code execution (though a spawned shell was not separately demonstrated end-to-end). On depth-24 displays, the floor impact is a reliable client crash (denial of service) plus a constrained heap write primitive (FreeRDP Advisory).
Pasos de explotación
- Setup rogue RDP server: Deploy a malicious RDP server (e.g., a modified FreeRDP server or custom implementation) capable of sending crafted Cache Bitmap V3 secondary drawing orders with
codecID=0x03(REMOTEFX). - Lure victim client: Induce the target user to connect to the rogue server using
xfreerdplaunched with the non-default/cache:codec:rfxflag (e.g.,xfreerdp /v:<attacker-ip> /cache:codec:rfx /bpp:30). - Send malformed Cache Bitmap V3 order: Transmit a Cache Bitmap V3 secondary drawing order with attacker-chosen small
DstWidth/DstHeight(e.g., 2×30 = 240 bytes) to sizebitmap->datainto a target heap size class, and embed a valid RFX-encoded tile with attacker-controlledxIdx/yIdxtile position. - Trigger heap overflow: The client's
gdi_Bitmap_Decompressallocatesbitmap->dataat the small dimensions but callsrfx_process_messagewith the full desktop stride/height. The per-tile blit writes pastbitmap->dataat offsetnYDst * gdi->stride, overflowing into adjacent heap objects. - Overwrite function pointer (depth-30 path): On a depth-30 display, the convert path writes attacker-controlled pixel bytes onto an adjacent
xfPointer->Freefunction pointer (offset 16 in thexfPointerstruct) via the heap overflow. - Defeat ASLR: Use a 1-pixel partial overwrite that preserves the victim PIE high bytes, landing
$pcinside the victim's own mapping without needing a full ASLR leak. - Achieve controlled
$pc: When the client evicts a pointer cache entry,pointer_cache_put → pointer_free → IFCALL(pointer->Free)dispatches to the attacker-planted value, transferring control to an attacker-chosen address (FreeRDP Advisory).
Indicadores de compromiso
- Network: Unexpected or unsolicited RDP connection attempts to unknown or untrusted servers; RDP traffic containing Cache Bitmap V3 secondary drawing orders with
codecID=0x03(REMOTEFX) and anomalously smallDstWidth/DstHeightvalues. - Process:
xfreerdpor FreeRDP client process crashing unexpectedly (SIGSEGV/SIGBUS) after connecting to an RDP server; unusual child processes spawned by the FreeRDP client process (e.g., shells, network tools). - Logs: Core dumps or crash reports from FreeRDP client processes referencing
gdi_Bitmap_Decompress,rfx_process_message, orpointer_freein stack traces; AddressSanitizer reports of heap-buffer-overflow inprim_copy.corrfx.cif running instrumented builds. - File System: Unexpected core dump files (e.g.,
core.*) in the working directory of the FreeRDP client process following an RDP session (FreeRDP Advisory).
Mitigación y soluciones alternativas
Upgrade FreeRDP to version 3.27.1, which contains the primary fix: passing the bitmap's own geometry (bitmap->nWidth * Bpp as stride, bitmap->nHeight as height) to rfx_process_message instead of the desktop surface dimensions. For FreeRDP 2.x users, Fedora packages the fix in freerdp 2:freerdp-3.27.1 updates. As an immediate workaround, avoid launching FreeRDP clients with the non-default /cache:codec:rfx flag, which is required to trigger the vulnerability — without this flag, Cache Bitmap V3 orders are rejected outright. Additionally, only connect to trusted RDP servers, as exploitation requires a malicious or compromised server (FreeRDP Advisory, Feedly).
Reacciones de la comunidad
The vulnerability was reported by security researcher Vitaly Simonovich and published by FreeRDP maintainer akallabeth on June 17, 2026. Linux distribution security trackers (Fedora, Debian via OSV) and security news outlets such as Pro-Linux.de covered the FreeRDP update wave. Tenable published Nessus detection plugins (IDs 321878 and 325081) for affected Fedora and container environments shortly after disclosure (Tenable Plugin, Pro-Linux).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Wolfi Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."