CVE-2026-57158
Wolfi Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-57158 is a heap out-of-bounds (OOB) read vulnerability in FreeRDP's planar_decompress_plane_rle_only function, representing an incomplete fix for the previously disclosed CVE-2026-23530. It affects FreeRDP versions >= 3.21.0 (confirmed on 3.27.0), and is patched in version 3.28.0. The Debian Linux packages freerdp2 and freerdp3 are specifically noted as affected with no vendor-supplied fix available at time of initial disclosure. The vulnerability is estimated as HIGH severity by Feedly, and was published on July 6, 2026 (GitHub Advisory, OSV).

Técnicas

The root cause is a classic off-by-one bounds check ordering error (CWE-125: Out-of-bounds Read) in libfreerdp/codec/planar.c. In planar_decompress_plane_rle_only, the code dereferences *srcp to read a control byte and increments srcp before validating that the new pointer position is within SrcSize — meaning the bounds check is post-read rather than pre-read. The prior fix for CVE-2026-23530 added dimension guards at the entry point of freerdp_bitmap_decompress_planar but did not address this inner function. A malicious RDP server can exploit this by sending a RDPGFX_CMDID_WIRETOSURFACE_1 packet with codecId=PLANAR and a planar payload truncated by exactly 1 byte, causing a 1-byte OOB read past the end of the input buffer on the final pixel of the last row. A proof-of-concept (PoC) with AddressSanitizer output is publicly available in the advisory (GitHub Advisory).

Impacto

Any FreeRDP client using the GFX pipeline is affected. A malicious RDP server can trigger the OOB read without any user interaction beyond the client connecting to the server, making this exploitable in scenarios where users connect to untrusted or attacker-controlled RDP servers. While the immediate impact is a 1-byte OOB read (classified Low severity by the FreeRDP project), such reads can potentially be leveraged for information disclosure or, in some memory layouts, contribute to more severe exploitation chains (GitHub Advisory).

Pasos de explotación

  1. Set up a malicious RDP server: Configure or modify an RDP server implementation to craft and send a RDPGFX_CMDID_WIRETOSURFACE_1 packet with codecId=PLANAR.
  2. Craft a truncated planar payload: Construct a planar-encoded payload that is truncated by exactly 1 byte — specifically, the final control byte of the last pixel row is omitted, bypassing the outer dimension guards introduced by the CVE-2026-23530 fix.
  3. Lure or wait for client connection: Induce a target FreeRDP client (version >= 3.21.0) to connect to the malicious server. No further user interaction is required once the connection is established.
  4. Trigger OOB read: Upon processing the crafted WIRETOSURFACE_1 packet, planar_decompress_plane_rle_only reads *srcp before validating bounds, causing a 1-byte OOB read past the end of the input buffer.
  5. Achieve objective: Depending on memory layout, the attacker may read sensitive data from adjacent memory or cause a crash (denial of service) of the FreeRDP client process (GitHub Advisory).

Indicadores de compromiso

  • Network: Unexpected or malformed RDPGFX_CMDID_WIRETOSURFACE_1 packets with codecId=PLANAR from an RDP server, particularly payloads that are unusually short or truncated relative to declared dimensions.
  • Process: FreeRDP client process crashing or terminating unexpectedly after connecting to an RDP server; AddressSanitizer or similar memory safety tool reporting SEGV or OOB read in planar_decompress_plane_rle_only.
  • Logs: Application crash logs or core dumps referencing planar_decompress_plane_rle_only in the stack trace; error messages from FreeRDP GFX pipeline processing (GitHub Advisory).

Mitigación y soluciones alternativas

FreeRDP 3.28.0 contains the patch for this vulnerability and should be applied immediately for all affected deployments (versions >= 3.21.0). For Debian users running freerdp2 or freerdp3, monitor Debian Security Advisories for updated packages, as no vendor-supplied fix was available at initial disclosure. As a workaround, avoid connecting FreeRDP clients to untrusted or unknown RDP servers, and consider disabling the GFX pipeline if operationally feasible (GitHub Advisory, Linuxiac).

Reacciones de la comunidad

The vulnerability was reported by researcher hextheshadow and published by FreeRDP maintainer akallabeth on July 6, 2026. Linuxiac covered the FreeRDP 3.28.0 release, highlighting the security fixes included in that version. Tenable published a Nessus plugin (ID 325548) to detect affected systems (Linuxiac, Tenable).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Wolfi Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-57156HIGH8.6
  • Wolfi logoWolfi
  • freerdp
NoJul 10, 2026
CVE-2026-54174HIGH8.3
  • Wolfi logoWolfi
  • dagdotdev
NoJul 10, 2026
CVE-2026-57157MEDIUM6.5
  • Wolfi logoWolfi
  • freerdp3
NoNoJul 10, 2026
CVE-2026-57158MEDIUM5.1
  • Wolfi logoWolfi
  • libwinpr-devel
NoNoJul 10, 2026
CVE-2026-61874LOW2.3
  • Wolfi logoWolfi
  • filebrowser
NoJul 12, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades