<Vulnerability name="CVE-2026-57158">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-10T19:49:03</PublicDate>
    <Bugzilla id="2499155" url="https://bugzilla.redhat.com/show_bug.cgi?id=2499155" xml:lang="en:us">
FreeRDP: FreeRDP: Information disclosure via truncated RDPGFX planar payload
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>5.4</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-125</CWE>
    <Details xml:lang="en:us" source="Mitre">
FreeRDP is a free implementation of the Remote Desktop Protocol. From 3.21.0 before 3.28.0, FreeRDP clients using the GFX pipeline contain an incomplete fix for CVE-2026-23530 in planar_decompress_plane_rle_only in libfreerdp/codec/planar.c, allowing a malicious RDP server to send a truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload that reads one byte past the input buffer. This issue is fixed in version 3.28.0.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). FreeRDP clients using the Graphics (GFX) pipeline are vulnerable to an out-of-bounds read. A malicious RDP server can exploit this by sending a specially crafted, truncated RDPGFX_CMDID_WIRETOSURFACE_1 planar payload. This can lead to reading one byte beyond the intended buffer, potentially disclosing sensitive information or causing a denial of service.
    </Details>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>freerdp</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>freerdp</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>freerdp</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>freerdp</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>freerdp</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-57158
https://nvd.nist.gov/vuln/detail/CVE-2026-57158
https://github.com/FreeRDP/FreeRDP/commit/a7e797626fcb7f1d556ce63febb84f9f4a822731
https://github.com/FreeRDP/FreeRDP/pull/12952
https://github.com/FreeRDP/FreeRDP/releases/tag/3.28.0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mp3f-59pg-c5pp
    </References>
</Vulnerability>