CVE-2026-55564

Public on 2026-07-10
Modified on 2026-07-10
Description
Out-of-bounds read in glyph_cache_get via crafted glyph fragments

A malicious RDP server can trigger an out-of-bounds heap read in a FreeRDP client through the glyph cache. glyph_cache_get() bounds-checks the index with > where it should use >= — the sibling glyph_cache_put() already gets it right. Since the cache's entries array holds exactly number pointers, an index equal to number slips past the check and reads one slot past the end, which the caller then dereferences as a glyph. It's the read-side twin of CVE-2020-11098 (the write side was fixed back in 2.1.2; the read side never was), and it's still present in 3.25.0 and master.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
5.4
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core freerdp Pending Fix
Amazon Linux 2023 freerdp Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L