OESA-2026-1518

FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp.

Security Fix(es):

A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22852)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when the cbAttrLen parameter does not match the actual NDR (Network Data Representation) buffer length. An attacker could potentially exploit this vulnerability to read sensitive information from process memory or cause the application to crash.(CVE-2026-22855)

A malicious server can trigger a client-side use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22856)

A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-22859)

A heap-based buffer overflow vulnerability exists in FreeRDP within the planardecompressplane_rle function, which may lead to memory corruption and arbitrary code execution.(CVE-2026-23530)

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 3.21.0, a heap buffer overflow vulnerability existed in the ClearCodec component. Specifically, when glyphData is present, the clear_decompress function calls freerdp_image_copy_no_overlap without validating the destination rectangle. This allows for out-of-bounds read/write operations when processing crafted RDPGFX surface updates. A malicious server can exploit this to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potential heap corruption. Depending on allocator behavior and surrounding heap layout, there is a risk of arbitrary code execution.(CVE-2026-23531)

A heap-buffer-overflow vulnerability exists in FreeRDP software that could allow an attacker to execute arbitrary code or cause denial of service on affected systems. This vulnerability affects the gdi_SurfaceToSurface function and is present in versions 3.20.2 and earlier.(CVE-2026-23532)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow vulnerability exists in the RDPGFX ClearCodec decode path, specifically in the clear_decompress_residual_data function. When processing maliciously crafted residual data, out-of-bounds writes occur during color output. A malicious server can exploit this to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potential heap corruption. Depending on allocator behavior and surrounding heap layout, there is a risk of arbitrary code execution.(CVE-2026-23533)

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 3.21.0, a client-side heap buffer overflow vulnerability exists in the ClearCodec bands decode path. When a malicious server sends crafted band coordinates, it allows writes past the end of the destination surface buffer. This can be exploited to trigger a client-side heap buffer overflow, causing a crash (Denial of Service) and potentially leading to heap corruption with the risk of arbitrary code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-23534)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, the FastGlyph parsing process trusts cbData/remaining length but never validates it against the minimum size implied by cx/cy. A malicious server can exploit this vulnerability to trigger a client-side global heap buffer overflow, causing a crash and resulting in a denial of service.(CVE-2026-23732)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, the xf_Pointer_New function frees the cursorPixels memory on failure. Subsequently, the pointer_free function calls xf_Pointer_Free, which attempts to free the same memory again, triggering an AddressSanitizer (ASan) detected use-after-free (UAF). A malicious server can trigger a client-side use-after-free, causing a crash (Denial of Service) and potentially leading to heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-23883)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a use-after-free vulnerability exists. Specifically, the deletion of an offscreen bitmap leaves the gdi->drawing pointer referencing freed memory. When subsequent related update packets are processed, this leads to a use-after-free condition. A malicious server can exploit this vulnerability when a client connects, causing a client-side crash (Denial of Service) and potentially leading to heap corruption. Depending on allocator behavior and heap layout, there is a risk of arbitrary code execution.(CVE-2026-23884)

A malicious server can trigger a client‑side heap use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24491)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audioformatcompatible. This vulnerability is fixed in 3.22.0.(CVE-2026-24676)

A malicious server can trigger a client-side heap use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24681)

A malicious server can trigger a client‑side heap buffer over flow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-24682)

This is an out-of-bounds read vulnerability affecting FreeRDP clients. A malicious RDP server can exploit this to:

Information Disclosure: Read sensitive data from the client's heap memory
Denial of Service: Cause client crashes through memory access violations

The attack requires user interaction (connecting to a malicious server), but no authentication is needed on the server side.(CVE-2026-25941)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in freerdp_image_copy_from_icon_data() (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TSICONINFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.(CVE-2026-26271)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, rail_window_free dereferences a freed xfAppWindow pointer during HashTable_Free cleanup because xf_rail_window_common calls free(appWindow) on title allocation failure without first removing the entry from the railWindows hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.(CVE-2026-26986)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in smartcard_unpack_read_size_align() (libfreerdp/utils/smartcard_pack.c:1703) allows a malicious RDP server to crash the FreeRDP client via a reachable WINPR_ASSERT → abort(). The crash occurs in upstream builds where WITH_VERBOSE_WINPR_ASSERT=ON (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., xfreerdp /smartcard; /smartcard-logon implies /smartcard). Version 3.23.0 fixes the issue.(CVE-2026-27015)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:24.03-LTS-SP3 / freerdp

Package

Name: freerdp
Purl: pkg:rpm/openEuler/freerdp&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.8-1.oe2403sp3

Ecosystem specific

{
    "x86_64": [
        "freerdp-2.11.8-1.oe2403sp3.x86_64.rpm",
        "freerdp-debuginfo-2.11.8-1.oe2403sp3.x86_64.rpm",
        "freerdp-debugsource-2.11.8-1.oe2403sp3.x86_64.rpm",
        "freerdp-devel-2.11.8-1.oe2403sp3.x86_64.rpm",
        "freerdp-help-2.11.8-1.oe2403sp3.x86_64.rpm",
        "libwinpr-2.11.8-1.oe2403sp3.x86_64.rpm",
        "libwinpr-devel-2.11.8-1.oe2403sp3.x86_64.rpm"
    ],
    "src": [
        "freerdp-2.11.8-1.oe2403sp3.src.rpm"
    ],
    "aarch64": [
        "freerdp-2.11.8-1.oe2403sp3.aarch64.rpm",
        "freerdp-debuginfo-2.11.8-1.oe2403sp3.aarch64.rpm",
        "freerdp-debugsource-2.11.8-1.oe2403sp3.aarch64.rpm",
        "freerdp-devel-2.11.8-1.oe2403sp3.aarch64.rpm",
        "freerdp-help-2.11.8-1.oe2403sp3.aarch64.rpm",
        "libwinpr-2.11.8-1.oe2403sp3.aarch64.rpm",
        "libwinpr-devel-2.11.8-1.oe2403sp3.aarch64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1518.json"