{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-13T17:28:39Z",
  "bugzilla" : {
    "description" : "freerdp: FreeRDP has a heap-buffer-overflow in bitmap_cache_put via OOB cacheId",
    "id" : "2447379",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2447379"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.", "A heap based buffer overflow flaw has been discovered in FreeRDP. This client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. A malicious server can trigger a client-side heap out-of-bounds access (READ of 4 bytes, followed by potential WRITE of a pointer) on the bitmap cache cells array, causing a crash (DoS) and heap corruption. The off-by-one accesses cells[maxCells] which reads from and writes to adjacent heap memory, potentially enabling pointer overwrite for code execution depending on heap layout." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16014",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "freerdp-2:3.10.3-5.el10_1.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19142",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "freerdp-2:3.10.3-12.el10_2.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-05-26T00:00:00Z",
    "advisory" : "RHSA-2026:20605",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "freerdp-2:3.10.3-3.el10_0.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-05-26T00:00:00Z",
    "advisory" : "RHSA-2026:20546",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "freerdp-0:2.1.1-5.el7_9.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16019",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "freerdp-2:2.11.7-9.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19811",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "freerdp-2:2.2.0-14.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19811",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4",
    "package" : "freerdp-2:2.2.0-14.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16814",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "freerdp-2:2.2.0-7.el8_6.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16814",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "freerdp-2:2.2.0-7.el8_6.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16814",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "freerdp-2:2.2.0-7.el8_6.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16777",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "freerdp-2:2.2.0-12.el8_8.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16777",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "freerdp-2:2.2.0-12.el8_8.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16482",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "freerdp-2:2.11.7-1.el9_7.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19358",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "freerdp-2:2.11.7-7.el9_8.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-05-12T00:00:00Z",
    "advisory" : "RHSA-2026:16485",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "freerdp-2:2.4.1-3.el9_0.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-05-12T00:00:00Z",
    "advisory" : "RHSA-2026:16483",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "freerdp-2:2.4.1-6.el9_2.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16866",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "freerdp-2:2.11.2-1.el9_4.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:16865",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "freerdp-2:2.11.7-1.el9_6.10"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "freerdp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-29775\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29775\nhttps://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f\nhttps://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj" ],
  "name" : "CVE-2026-29775",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}