Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2026-26965
CVE-2026-26965:
NixOS vulnerability analysis and mitigation
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, planar_decompress_plane_rle() writes into pDstData at ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel without verifying that (nYDst+nSrcHeight) fits in the destination height or that (nXDst+nSrcWidth) fits in the destination stride. When TempFormat != DstFormat, pDstData becomes planar->pTempData (sized for the desktop), while nYDst is only validated against the surface by is_within_surface(). A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent NSC_CONTEXT struct's decode function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (nsc->decode = 0xFF414141FF414141). Version 3.23.0 fixes the vulnerability.
Source: NVD
Related NixOS vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management