OESA-2026-2440

FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp.

Security Fix(es):

A malicious server can trigger a client-side global buffer overflow, causing a crash (denial of service)(CVE-2026-25942)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a heap-use-after-free vulnerability exists in the X11 client backend. Specifically, the xf_SetWindowMinMaxInfo function dereferences a freed xfAppWindow pointer. This occurs because xf_rail_get_window within xf_rail_server_min_max_info returns an unprotected pointer from the railWindows hash table. The main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer, leading to a dangling pointer. A malicious server can exploit this to trigger a client-side crash (Denial of Service) and potentially cause heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-25952)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the xf_AppUpdateWindowFromSurface function reads from a freed xfAppWindow object. This occurs because the RDPGFX DVC thread obtains a bare pointer via xf_rail_get_window without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order, resulting in a use-after-free condition. A malicious server can exploit this vulnerability to trigger a client-side heap use-after-free, causing a crash (Denial of Service) and potentially leading to heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-25953)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the xf_rail_server_local_move_size function dereferences a freed xfAppWindow pointer. This occurs because xf_rail_get_window returns an unprotected pointer from the railWindows hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. A malicious server can trigger this client-side heap use-after-free, causing a crash (Denial of Service) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-25954)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function Stream_EnsureCapacity contains an integer overflow vulnerability that can create an endless blocking loop. This may affect all client and server implementations using FreeRDP. For practical exploitation, this will only work on 32-bit systems where the available physical memory is greater than or equal to SIZE_MAX.(CVE-2026-27951)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420yuvtorgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRETOSURFACEPDU1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420processworkcallback calls avc420yuvto_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.(CVE-2026-29774)

FreeRDP contains a heap buffer overflow vulnerability in bitmapcacheput function where an out-of-bounds cacheId can lead to memory corruption.(CVE-2026-29775)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % blocksize where blocksize = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.(CVE-2026-31884)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdpbitmapdecompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.(CVE-2026-31897)

A vulnerability exists in FreeRDP when processing the ClearCodec protocol, involving a desynchronization in glyph cache counts. An attacker can craft a malicious RDP packet, causing a mismatch in glyph cache counts on the client or server side, which triggers a heap out-of-bounds read. Successful exploitation of this vulnerability could lead to information disclosure, application crash, or create conditions for further attacks.(CVE-2026-33985)