CVE-2026-55194

Public on 2026-07-10
Modified on 2026-07-10
Description
Heap-buffer-overflow write in TS Gateway RPC RESPONSE reassembly due to alloc_hint capacity mismatch

In rpc_client_recv_fragment(), when reassembling a PTYPE_RESPONSE PDU, the client calls Stream_EnsureCapacity(pdu->s, response->alloc_hint) using only the server-declared alloc_hint. Stream_EnsureCapacity() returns success if the existing capacity is already >= alloc_hint, without considering the current write offset or the actual stub length about to be copied.

A malicious gateway can set a small alloc_hint (e.g. 100) while sending a large fragment (frag_length = 6000, yielding StubLength ≈ 5968). The 4096-byte reassembly buffer is not grown, and Stream_Write(pdu->s, …, StubLength) copies attacker-controlled stub data past the end of the heap allocation. On default builds this may abort via WINPR_ASSERT; on Release builds (NDEBUG) the assert is elided and the overflow becomes an exploitable heap write.

This is distinct from the separate ReceiveFragment / bind_ack max_xmit_frag issue (different buffer and code path in the same gateway module).
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
8.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core freerdp Pending Fix
Amazon Linux 2023 freerdp Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H