CVE-2026-57156
Wolfi Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-57156 is a high-severity integer overflow leading to a heap-based buffer overflow in FreeRDP's Orders Delta Points parsing code. It affects FreeRDP versions up to and including 3.27.1 on 32-bit builds only (where SIZE_MAX is a 32-bit unsigned value), and was patched in version 3.28.0. The vulnerability was published on July 6, 2026, by the FreeRDP project maintainer. It carries a CVSS category estimate of High (FreeRDP Advisory, Feedly).

Técnicas

The root cause is a 32-bit integer overflow (CWE-190) in libfreerdp/core/orders.c during Orders Delta Points parsing, which leads to a heap-based buffer overflow (CWE-122). A network-controlled number value is multiplied by sizeof(DELTA_POINT) (4 bytes) without safe size validation before memory allocation: realloc(*points, sizeof(DELTA_POINT) * number) followed by ZeroMemory(*points, sizeof(DELTA_POINT) * number). On 32-bit builds, a value such as 0x40000001 causes the multiplication to overflow, truncating the allocation to only 4 bytes while the subsequent ZeroMemory call attempts to write the full (overflowed) size, resulting in heap memory corruption. Exploitation requires a malicious RDP server or peer capable of reaching this parsing path in a 32-bit FreeRDP client (FreeRDP Advisory).

Impacto

Successful exploitation can cause a client crash, denial of service, or potentially arbitrary code execution depending on heap layout at the time of the overflow. The vulnerability is limited to 32-bit FreeRDP client builds; 64-bit builds are not affected because SIZE_MAX is large enough to prevent the overflow. A malicious RDP server or man-in-the-middle attacker could trigger heap memory corruption in connecting clients, potentially leading to code execution in the context of the FreeRDP process (FreeRDP Advisory).

Pasos de explotación

  1. Setup malicious RDP server: Configure a rogue RDP server (or perform a man-in-the-middle attack on an existing RDP session) capable of sending crafted RDP protocol messages to a connecting 32-bit FreeRDP client.
  2. Identify vulnerable client: Confirm the target is running a 32-bit FreeRDP build (version ≤ 3.27.1) where SIZE_MAX is a 32-bit unsigned integer.
  3. Craft malicious Orders packet: Construct an RDP Orders packet containing a Delta Points order with the number field set to a value such as 0x40000001 (1073741825), which will cause sizeof(DELTA_POINT) * number to overflow on 32-bit arithmetic.
  4. Trigger allocation: When the client processes the packet, realloc(*points, sizeof(DELTA_POINT) * number) allocates only 4 bytes due to the overflow.
  5. Trigger heap corruption: The subsequent ZeroMemory(*points, sizeof(DELTA_POINT) * number) call attempts to zero out the full (pre-overflow) size, writing far beyond the allocated 4-byte region and corrupting heap memory.
  6. Achieve objective: Depending on heap layout, this may result in a client crash (DoS) or, with further heap-grooming techniques, potential code execution in the FreeRDP client process (FreeRDP Advisory).

Indicadores de compromiso

  • Process: FreeRDP client process (xfreerdp, wfreerdp, or similar) crashing unexpectedly or producing AddressSanitizer/heap corruption error messages during or after an RDP session.
  • Logs: Application crash logs or core dumps referencing libfreerdp/core/orders.c or heap-buffer-overflow errors in FreeRDP client output.
  • Network: Unusual or malformed RDP Orders packets from an RDP server containing abnormally large Delta Points number field values (e.g., values near or above 0x40000000) observable via network capture on TCP port 3389.

Mitigación y soluciones alternativas

Upgrade FreeRDP to version 3.28.0 or later, which includes a fix using checked multiplication before allocation: if (number > SIZE_MAX / sizeof(DELTA_POINT)) return FALSE; (FreeRDP Advisory). Users on Debian Linux should monitor for updated package availability, as no vendor-provided patch was available at the time of initial disclosure (Feedly). As an interim measure, avoid using 32-bit FreeRDP builds and prefer 64-bit builds where SIZE_MAX prevents the overflow. Only connect to trusted RDP servers to reduce exposure to malicious server-side exploitation.

Reacciones de la comunidad

The vulnerability was reported by security researcher HEXER365 and published by FreeRDP maintainer akallabeth on July 6, 2026. The FreeRDP 3.28.0 release was covered by Linuxiac, which noted the security fixes included in the release (Linuxiac). Tenable published a Nessus plugin (ID 325534) to detect affected systems (Tenable).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Wolfi Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-57156HIGH8.6
  • Wolfi logoWolfi
  • freerdp
NoJul 10, 2026
CVE-2026-54174HIGH8.3
  • Wolfi logoWolfi
  • dagdotdev
NoJul 10, 2026
CVE-2026-57157MEDIUM6.5
  • Wolfi logoWolfi
  • freerdp3
NoNoJul 10, 2026
CVE-2026-57158MEDIUM5.1
  • Wolfi logoWolfi
  • libwinpr-devel
NoNoJul 10, 2026
CVE-2026-61874LOW2.3
  • Wolfi logoWolfi
  • filebrowser
NoJul 12, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades