CVE-2026-55564
Public on 2026-07-10
Modified on 2026-07-10
Description
Out-of-bounds read in glyph_cache_get via crafted glyph fragments
A malicious RDP server can trigger an out-of-bounds heap read in a FreeRDP client through the glyph cache. glyph_cache_get() bounds-checks the index with > where it should use >= — the sibling glyph_cache_put() already gets it right. Since the cache's entries array holds exactly number pointers, an index equal to number slips past the check and reads one slot past the end, which the caller then dereferences as a glyph. It's the read-side twin of CVE-2020-11098 (the write side was fixed back in 2.1.2; the read side never was), and it's still present in 3.25.0 and master.
A malicious RDP server can trigger an out-of-bounds heap read in a FreeRDP client through the glyph cache. glyph_cache_get() bounds-checks the index with > where it should use >= — the sibling glyph_cache_put() already gets it right. Since the cache's entries array holds exactly number pointers, an index equal to number slips past the check and reads one slot past the end, which the caller then dereferences as a glyph. It's the read-side twin of CVE-2020-11098 (the write side was fixed back in 2.1.2; the read side never was), and it's still present in 3.25.0 and master.
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | freerdp | Pending Fix | ||
| Amazon Linux 2023 | freerdp | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L |