CVE-2026-55192

Public on 2026-07-10
Modified on 2026-07-10
Description
Out-of-bounds read in H.264 YUV-to-RGB conversion due to decoder/surface dimension mismatch

After h264->subsystem->Decompress() returns, all major H.264 backends overwrite h264->pYUVData and h264->iStride with decoder-internal YUV buffers sized by the H.264 bitstream SPS. These dimensions are never compared against the RDPGFX surface dimensions stored in h264->width / h264->height.

areRectsValid() validates region rectangles against the surface width/height passed into avc420_decompress() / avc444_decompress(). Subsequent YUV→RGB conversion (yuv420_context_decode → avc420_yuv_to_rgb or avc444_yuv_to_rgb) consumes those surface-sized rectangles against the smaller decoder-sized YUV planes, causing out-of-bounds reads on both axes.

clamp() only limits rect.top/rect.bottom using MIN(context->height, srcHeight) where srcHeight is h264->height (surface height on FFmpeg/OpenH264/MediaCodec paths). It does not clamp rect.left/rect.right. check_rect() is only invoked on the YUV444 combine path, not on the AVC420/AVC444 RGB conversion paths.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
5.4
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core freerdp Not Affected
Amazon Linux 2023 freerdp Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L