CVE-2026-55827
Wolfi Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-55827 is a heap out-of-bounds write vulnerability in FreeRDP's RemoteFX (RFX) Cache Bitmap V3 decode path, allowing a malicious or compromised RDP server to achieve a controlled instruction pointer ($pc) in a connecting client. It affects FreeRDP 2.x ≥ 2.0.0 (all 2.x releases through 2.11.7) and 3.x ≥ 3.0.0 through 3.27.0, and is fixed in version 3.27.1. The vulnerability was reported by Vitaly Simonovich and published on June 17, 2026. It carries a CVSS v3.1 score of 7.5 (High) for the demonstrated controlled-$pc primitive, with a denial-of-service floor score of 6.5 (FreeRDP Advisory).

Técnicas

The root cause is an incorrect buffer size calculation (CWE-131) combined with a heap out-of-bounds write (CWE-787) in libfreerdp/gdi/graphics.c. The function gdi_Bitmap_Decompress allocates bitmap->data sized to the small Cache-Bitmap-V3 wire dimensions (DstWidth * DstHeight * Bpp, e.g., 64×64×4 = 16,384 bytes), but passes the full desktop surface geometry (gdi->stride, gdi->height) as the write bound to rfx_process_message. The per-tile RFX blit then writes each tile row at bitmap->data + nYDst * gdi->stride, overflowing the allocation when nYDst is large enough. The attacker controls tile position via unvalidated xIdx/yIdx wire fields, and bitmapData->codecID and DstWidth/DstHeight are also read as unvalidated wire values. Exploitation requires the client to be launched with the non-default /cache:codec:rfx flag and to connect to an attacker-controlled server; it is post-connect, not pre-authentication (FreeRDP Advisory).

Impacto

A malicious or compromised RDP server can trigger a heap out-of-bounds write in a connecting FreeRDP client, with demonstrated end-to-end impact of a controlled instruction pointer ($pc) via forward-edge function pointer hijack at IFCALL(pointer->Free) — achieved 3/3 deterministically with ASLR defeated on aarch64. On depth-30 displays, the attacker can plant an arbitrary value into a live xfPointer->Free function pointer, enabling potential full code execution (though a spawned shell was not separately demonstrated end-to-end). On depth-24 displays, the floor impact is a reliable client crash (denial of service) plus a constrained heap write primitive (FreeRDP Advisory).

Pasos de explotación

  1. Setup rogue RDP server: Deploy a malicious RDP server (e.g., a modified FreeRDP server or custom implementation) capable of sending crafted Cache Bitmap V3 secondary drawing orders with codecID=0x03 (REMOTEFX).
  2. Lure victim client: Induce the target user to connect to the rogue server using xfreerdp launched with the non-default /cache:codec:rfx flag (e.g., xfreerdp /v:<attacker-ip> /cache:codec:rfx /bpp:30).
  3. Send malformed Cache Bitmap V3 order: Transmit a Cache Bitmap V3 secondary drawing order with attacker-chosen small DstWidth/DstHeight (e.g., 2×30 = 240 bytes) to size bitmap->data into a target heap size class, and embed a valid RFX-encoded tile with attacker-controlled xIdx/yIdx tile position.
  4. Trigger heap overflow: The client's gdi_Bitmap_Decompress allocates bitmap->data at the small dimensions but calls rfx_process_message with the full desktop stride/height. The per-tile blit writes past bitmap->data at offset nYDst * gdi->stride, overflowing into adjacent heap objects.
  5. Overwrite function pointer (depth-30 path): On a depth-30 display, the convert path writes attacker-controlled pixel bytes onto an adjacent xfPointer->Free function pointer (offset 16 in the xfPointer struct) via the heap overflow.
  6. Defeat ASLR: Use a 1-pixel partial overwrite that preserves the victim PIE high bytes, landing $pc inside the victim's own mapping without needing a full ASLR leak.
  7. Achieve controlled $pc: When the client evicts a pointer cache entry, pointer_cache_put → pointer_free → IFCALL(pointer->Free) dispatches to the attacker-planted value, transferring control to an attacker-chosen address (FreeRDP Advisory).

Indicadores de compromiso

  • Network: Unexpected or unsolicited RDP connection attempts to unknown or untrusted servers; RDP traffic containing Cache Bitmap V3 secondary drawing orders with codecID=0x03 (REMOTEFX) and anomalously small DstWidth/DstHeight values.
  • Process: xfreerdp or FreeRDP client process crashing unexpectedly (SIGSEGV/SIGBUS) after connecting to an RDP server; unusual child processes spawned by the FreeRDP client process (e.g., shells, network tools).
  • Logs: Core dumps or crash reports from FreeRDP client processes referencing gdi_Bitmap_Decompress, rfx_process_message, or pointer_free in stack traces; AddressSanitizer reports of heap-buffer-overflow in prim_copy.c or rfx.c if running instrumented builds.
  • File System: Unexpected core dump files (e.g., core.*) in the working directory of the FreeRDP client process following an RDP session (FreeRDP Advisory).

Mitigación y soluciones alternativas

Upgrade FreeRDP to version 3.27.1, which contains the primary fix: passing the bitmap's own geometry (bitmap->nWidth * Bpp as stride, bitmap->nHeight as height) to rfx_process_message instead of the desktop surface dimensions. For FreeRDP 2.x users, Fedora packages the fix in freerdp 2:freerdp-3.27.1 updates. As an immediate workaround, avoid launching FreeRDP clients with the non-default /cache:codec:rfx flag, which is required to trigger the vulnerability — without this flag, Cache Bitmap V3 orders are rejected outright. Additionally, only connect to trusted RDP servers, as exploitation requires a malicious or compromised server (FreeRDP Advisory, Feedly).

Reacciones de la comunidad

The vulnerability was reported by security researcher Vitaly Simonovich and published by FreeRDP maintainer akallabeth on June 17, 2026. Linux distribution security trackers (Fedora, Debian via OSV) and security news outlets such as Pro-Linux.de covered the FreeRDP update wave. Tenable published Nessus detection plugins (IDs 321878 and 325081) for affected Fedora and container environments shortly after disclosure (Tenable Plugin, Pro-Linux).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Wolfi Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-57156HIGH8.6
  • Wolfi logoWolfi
  • freerdp
NoJul 10, 2026
CVE-2026-54174HIGH8.3
  • Wolfi logoWolfi
  • dagdotdev
NoJul 10, 2026
CVE-2026-57157MEDIUM6.5
  • Wolfi logoWolfi
  • freerdp3
NoNoJul 10, 2026
CVE-2026-57158MEDIUM5.1
  • Wolfi logoWolfi
  • libwinpr-devel
NoNoJul 10, 2026
CVE-2026-61874LOW2.3
  • Wolfi logoWolfi
  • filebrowser
NoJul 12, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades