CVE-2026-29774

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.24.0

Description FreeRDP is a free implementation of the Remote Desktop Protocol. A client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. The issue stems from unchecked pointer arithmetic when computing destination pointers using rect->left, potentially allowing writes beyond the allocated heap region. A malicious server can trigger this by sending a WIRE TO SURFACE PDU 1 with an AVC420 codec containing a regionRects entry where left exceeds the surface width. The vulnerable code is located in yuv.c within the clamp() function (line 347) and the avc420 yuv to rgb function (line 67). The clamp() function only validates top/bottom against the surface height, but does not check left/right against the surface width.

Recommendations Update FreeRDP to version 3.24.0 or later.