CVE-2026-57156:
Wolfi Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-57156 is a high-severity integer overflow leading to a heap-based buffer overflow in FreeRDP's Orders Delta Points parsing code. It affects FreeRDP versions up to and including 3.27.1 on 32-bit builds only (where SIZE_MAX is a 32-bit unsigned value), and was patched in version 3.28.0. The vulnerability was published on July 6, 2026, by the FreeRDP project maintainer. It carries a CVSS category estimate of High (FreeRDP Advisory, Feedly).
Técnicas
The root cause is a 32-bit integer overflow (CWE-190) in libfreerdp/core/orders.c during Orders Delta Points parsing, which leads to a heap-based buffer overflow (CWE-122). A network-controlled number value is multiplied by sizeof(DELTA_POINT) (4 bytes) without safe size validation before memory allocation: realloc(*points, sizeof(DELTA_POINT) * number) followed by ZeroMemory(*points, sizeof(DELTA_POINT) * number). On 32-bit builds, a value such as 0x40000001 causes the multiplication to overflow, truncating the allocation to only 4 bytes while the subsequent ZeroMemory call attempts to write the full (overflowed) size, resulting in heap memory corruption. Exploitation requires a malicious RDP server or peer capable of reaching this parsing path in a 32-bit FreeRDP client (FreeRDP Advisory).
Impacto
Successful exploitation can cause a client crash, denial of service, or potentially arbitrary code execution depending on heap layout at the time of the overflow. The vulnerability is limited to 32-bit FreeRDP client builds; 64-bit builds are not affected because SIZE_MAX is large enough to prevent the overflow. A malicious RDP server or man-in-the-middle attacker could trigger heap memory corruption in connecting clients, potentially leading to code execution in the context of the FreeRDP process (FreeRDP Advisory).
Pasos de explotación
- Setup malicious RDP server: Configure a rogue RDP server (or perform a man-in-the-middle attack on an existing RDP session) capable of sending crafted RDP protocol messages to a connecting 32-bit FreeRDP client.
- Identify vulnerable client: Confirm the target is running a 32-bit FreeRDP build (version ≤ 3.27.1) where
SIZE_MAXis a 32-bit unsigned integer. - Craft malicious Orders packet: Construct an RDP Orders packet containing a Delta Points order with the
numberfield set to a value such as0x40000001(1073741825), which will causesizeof(DELTA_POINT) * numberto overflow on 32-bit arithmetic. - Trigger allocation: When the client processes the packet,
realloc(*points, sizeof(DELTA_POINT) * number)allocates only 4 bytes due to the overflow. - Trigger heap corruption: The subsequent
ZeroMemory(*points, sizeof(DELTA_POINT) * number)call attempts to zero out the full (pre-overflow) size, writing far beyond the allocated 4-byte region and corrupting heap memory. - Achieve objective: Depending on heap layout, this may result in a client crash (DoS) or, with further heap-grooming techniques, potential code execution in the FreeRDP client process (FreeRDP Advisory).
Indicadores de compromiso
- Process: FreeRDP client process (
xfreerdp,wfreerdp, or similar) crashing unexpectedly or producing AddressSanitizer/heap corruption error messages during or after an RDP session. - Logs: Application crash logs or core dumps referencing
libfreerdp/core/orders.cor heap-buffer-overflow errors in FreeRDP client output. - Network: Unusual or malformed RDP Orders packets from an RDP server containing abnormally large Delta Points
numberfield values (e.g., values near or above0x40000000) observable via network capture on TCP port 3389.
Mitigación y soluciones alternativas
Upgrade FreeRDP to version 3.28.0 or later, which includes a fix using checked multiplication before allocation: if (number > SIZE_MAX / sizeof(DELTA_POINT)) return FALSE; (FreeRDP Advisory). Users on Debian Linux should monitor for updated package availability, as no vendor-provided patch was available at the time of initial disclosure (Feedly). As an interim measure, avoid using 32-bit FreeRDP builds and prefer 64-bit builds where SIZE_MAX prevents the overflow. Only connect to trusted RDP servers to reduce exposure to malicious server-side exploitation.
Reacciones de la comunidad
The vulnerability was reported by security researcher HEXER365 and published by FreeRDP maintainer akallabeth on July 6, 2026. The FreeRDP 3.28.0 release was covered by Linuxiac, which noted the security fixes included in the release (Linuxiac). Tenable published a Nessus plugin (ID 325534) to detect affected systems (Tenable).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Wolfi Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."