openSUSE-SU-2026:20657-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20657-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2026:20657-1
Upstream
Related
Published
2026-04-30T16:54:03Z
Modified
2026-05-05T18:24:22.528764Z
Summary
Security update for freerdp
Details

This update for freerdp fixes the following issues:

Update to version 3.24.2.

Security issues fixed:

  • CVE-2026-25941: out-of-bounds read in the FreeRDP client RDPGFX channel (bsc#1258919).
  • CVE-2026-25942: buffer overflow of global array in xf_rail_server_execute_result (bsc#1258920).
  • CVE-2026-25952: heap use-after-free in xf_SetWindowMinMaxInfo (bsc#1258921).
  • CVE-2026-25953: heap use-after-free in xf_AppUpdateWindowFromSurface (bsc#1258923).
  • CVE-2026-25954: heap use-after-free in xf_rail_server_local_move_size (bsc#1258924).
  • CVE-2026-25955: heap use-after-free in xf_AppUpdateWindowFromSurface (bsc#1258973).
  • CVE-2026-25959: heap use-after-free in xf_cliprdr_provide_data_ (bsc#1258976).
  • CVE-2026-25997: heap use-after-free in xf_clipboard_format_equal (bsc#1258977).
  • CVE-2026-26271: buffer overread in FreeRDP icon processing (bsc#1258979).
  • CVE-2026-26955: out-of-bounds write in FreeRDP clients using the GDI surface pipeline (bsc#1258982).
  • CVE-2026-26965: out-of-bounds write in FreeRDP client RLE planar decode path (bsc#1258985).
  • CVE-2026-29774: heap buffer overflow in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path (bsc#1259689).
  • CVE-2026-29775: out-of-bounds access in the FreeRDP client bitmap cache subsystem (bsc#1259684).
  • CVE-2026-29776: integer underflow in update_read_cache_bitmap_order (bsc#1259692).
  • CVE-2026-31806: heap buffer overflow in nsc_process_message (bsc#1259653).
  • CVE-2026-31883: heap buffer overwrite due to a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders (bsc#1259679).
  • CVE-2026-31884: division by zero in MS-ADPCM and IMA-ADPCM decoders (bsc#1259680).
  • CVE-2026-31885: out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders (bsc#1259686).
  • CVE-2026-31897: out-of-bounds read in freerdp_bitmap_decompress_planar (bsc#1259693).
  • CVE-2026-33952: client-side crash due to WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks() (bsc#1261196).
  • CVE-2026-33977: client-side crash due to WINPR_ASSERT() failure in IMA ADPCM audio decoder (bsc#1261198).
  • CVE-2026-33982: heap buffer overread in in winpr_aligned_offset_recalloc (bsc#1261222).
  • CVE-2026-33983: undefined behavior and resource exhaustion via 80 billion iteration loop in progressive_decompress_tile_upgrade (bsc#1261200).
  • CVE-2026-33984: heap buffer overflow in ClearCodec resize_vbar_entry (bsc#1261211).
  • CVE-2026-33985: heap out-of-bounds read in clear_decompress_glyph_data (bsc#1261217).
  • CVE-2026-33986: heap out-of-bounds write due to H.264 YUV buffer dimension desync (bsc#1261223).
  • CVE-2026-33987: heap out-of-bounds write due to persistent cache bmpSize desync (bsc#1261226).
  • CVE-2026-33995: double-free vulnerability in kerberos_AcceptSecurityContext and kerberos_InitializeSecurityContextA (bsc#1261227).

Other updates and bugfixes:

  • Version 3.24.2:

    • [channels,video] fix wrong cast (#12511)
    • [codec,openh264] reject encoder ABI mismatch on runtime-loaded library (#12510)
    • [client,sdl] create a copy of rdpPointer (#12512)
    • [codec,video] properly pass intermediate format (#12518)
    • [utils, signal] lazily initialize Windows CRITICAL_SECTION to match POSIX static mutex behavior (#12520) winpr: improve libunwind backtraces (#12530)
    • [server,shadow] remember selected caps (#12528)
    • Zero credential data before free in NLA and NTLM context (#12532)
    • [server,proxy] ignore missing client in input channel (#12536)
    • [server,proxy] ignore rdpdr messages (#12537)
    • [winpr,sspi] improve kerberos logging (#12538)
    • Codec fixes (#12542)

  • Version 3.24.1:

    • [warnings] fix various sign and cast warnings (#12480)
    • [client,x11] start with xfc->remote_app = TRUE; (#12491)
    • Sam file read regression fix (#12484)
    • [ncrypt,smartcardlogon] support ECC keys in PKCS#11 smartcard enumeration (#12490)
    • Fix: memory leak in rdpclientestablish_keys() (#12494)
    • Fix memory leak in freerdpsettingsintbuffercopy() on error paths (libfreerdp/core/settings.c) (#12486)
    • Code Cleanups (#12493)
    • Fix: memory leak in PCSC_SCardListReadersW() (#12495)
    • [channels,telemetry] use dynamic logging (#12496)
    • [channel,gfx] use generic plugin log (@12498, #12499)
    • [channels,audin] set error when audioformatread fails (#12500)
    • [channels,video] unify error handling (#12502)
    • Fastpath fine grained lock (#12503)
    • [core,update] make the PlaySound callback non-mandatory (#12504)
    • Refinements: RPM build updates, FIPS improvements (#12506)

  • Version 3.24.0:

    • Completed the [[nodiscard]] marking of the API to warn about problematic
    • unchecked use of functions
    • Added full C23 support (default stays at C11) to allow new compilers
    • to do stricter checking
    • Improved X11 and SDL3 clients
    • Improved smartcard support
    • proxy now supports RFX graphics mode
    • Attribute nodiscard related chanes (#12325, #12360, #12395, #12406, #12421, #12426, #12177, #12403, #12405, #12407, #12409, #12408, #12412, #12413)
    • c23 related improvements (#12368, #12371, #12379, #12381, #12383, #12385, #12386, #12387, #12384)
    • Generic code cleanups (#12382, #12439, #12455, #12462, #12399, #12473) [core,utils] ignore NULL values in removerdpdrtype (#12372)
    • [codec,fdk] revert use of WinPR types (#12373)
    • [core,gateway] ignore incomplete rpc header (#12375, #12376)
    • [warnings] make function declaration names consistent (#12377)
    • [libfreerdp] Add new define for logon error info (#12380)
    • [client,x11] improve rails window locking (#12392)
    • Reload fix missing null checks (#12396)
    • Bounds checks (#12400)
    • [server,proxy] check for nullptr before using scardcallcontext (#12404)
    • [uwac] fix rectangular glitch around surface damage regions (#12410)
    • Address various error handling inconsistencies (#12411)
    • [core,server] Improve WTS API locking (#12414)
    • Address some GCC compile issues (#12415, #12420)
    • Winpr atexit (#12416)
    • [winpr,smartcard] fix function pointer casts (#12422)
    • Xf timer fix (#12423)
    • [client,sdl] workaround for wlroots compositors (#12425)
    • [client,sdl] fix SdlWindow::query (#12378)
    • [winpr,smartcard] fix PCSC_ReleaseCardContext (#12427)
    • [client,x11] eliminate obsolete compile flags (#12428)
    • [client,common] skip sending input events when not connected (#12429)
    • Input connected checks (#12430)
    • Floatbar and display channel improvements (#12431)
    • [winpr,platform] fix WINPRATTRNODISCARD definition (#12432)
    • [client] Fix writing of gatewayusagemethod to .rdp files (#12433)
    • Nodiscard finetune (#12435)
    • [core] fix missing gateway credential sync (#12436)
    • [client,sdl3] limit FREERDPWLROOTSHACK (#12441)
    • [core,settings] Allow FreeRDP_instance in setter (#12442)
    • [codec,h264] make log message trace (#12444)
    • X11 rails improve (#12440)
    • [codec,nsc] limit copy area in nscprocessmessage (#12448)
    • Proxy support RFX and NSC settings (#12449)
    • [client,common] display a shortened help on parsing issues (#12450)
    • [winpr,smartcard] refine locking for pcsc layer (#12451)
    • [codec,swscale] allow runtime loading of swscale (#12452)
    • Swscale fallback (#12454)
    • Sdl multi scaling support (#12456)
    • [packaging,flatpak] update runtime and dependencies (#12457)
    • [codec,video] add doxygen version details (#12458)
    • [github,templates] update templates (#12460)
    • [client,sdl] allow FREERDPWLROOTSHACK for all sessions (#12461)
    • [warnings,nodiscard] add log messages for failures (#12463)
    • [gdi,gdi] ignore empty rectangles (#12467)
    • Smartcard fix smartcard-login, pass rdpContext for abort (#12466)
    • [winpr,smartcard] fix compiler warnings (#12469)
    • [winpr,timezone] fix search for transition dates (#12468)
    • [client,common] improve /p help (#12471)
    • Scard logging refactored (#12472)
    • [emu,scard] fix smartcard emulation (#12475)
    • Sdl null cursor (#12474)

  • Version 3.23.0:

    • Sdl cleanup (#12202)
    • [client,sdl] do not apply window offset (#12205)
    • [client,sdl] add SDL_Error to exceptions (#12214)
    • Rdp monitor log (#12215)
    • [winpr,smartcard] implement some attributes (#12213)
    • [client,windows] Fix return value checks for mouse event functions (#12279)
    • [channels,rdpecam] fix sws context checks (#12272)
    • [client,windows] Enhance error handling and context validation (#12264)
    • [client,windows] Add window handle validation in RDPEVENTTYPEWINDOWNEW (#12261)
    • [client,sdl] fix multimon/fullscreen on wayland (#12248)
    • Vendor by app (#12207)
    • [core,gateway] relax TSG parsing (#12283)
    • [winpr,smartcard] simplify PCSC_ReadDeviceSystemName (#12273)
    • [client,windows] Implement complete keyboard indicator synchronization (#12268)
    • Fixes more more more (#12286)
    • Use application details for names (#12285)
    • warning cleanups (#12289)
    • Warning cleanup (#12291)
    • [client,windows] Enhance memory safety with NULL checks and resource protection (#12271)
    • [client,x11] apply /size:xx% only once (#12293)
    • Freerdp config test (#12295)
    • [winpr,smartcard] fix returned attribute length (#12296)
    • [client,SDL3] Fix properly handle smart-sizing with fullscreen (#12298)
    • [core,test] fix use after free (#12299)
    • Sign warnings (#12300)
    • [cmake,compiler] disable -Wjump-misses-init (#12301)
    • [codec,color] fix input length checks (#12302)
    • [client,sdl] improve cursor updates, fix surface sizes (#12303)
    • Sdl fullscreen (#12217)
    • [client,sdl] fix move constructor of SdlWindow (#12305)
    • [utils,smartcard] check stream length on padding (#12306)
    • [android] Fix invert scrolling default value mismatch (#12309)
    • Clear fix bounds checks (#12310)
    • Winpr attr nodiscard fkt ptr (#12311)
    • [codec,planar] fix missing destination bounds checks (#12312)
    • [codec,clear] fix destination checks (#12315)
    • NSC Codec fixes (#12317)
    • Freerdp api nodiscard (#12313)
    • [allocations] fix growth of preallocated buffers (#12319)
    • Rdpdr simplify (#12320)
    • Resource fix (#12323)
    • [winpr,utils] ensure message queue capacity (#12322)
    • [server,shadow] fix return and parameter checks (#12330)
    • Shadow fixes (#12331)
    • [rdtk,nodiscard] mark rdtk API nodiscard (#12329)
    • [client,x11] fix XGetWindowProperty return handling (#12334)
    • Win32 signal (#12335)
    • [channel,usb] fix message parsing and creation (#12336)
    • [cmake] Define WINPRDEFINEATTR_NODISCARD (#12338)
    • Proxy config fix (#12345)
    • [codec,progressive] refine progressive decoding (#12347)
    • [client,sdl] fix sdlPointerNew (#12350)
    • [core,gateway] parse [MS-TSGU] 2.2.10.5 HTTPCHANNELRESPONSE_OPTIONAL (#12353)
    • X11 kbd sym (#12354)
    • Windows compile warning fixes (#12357,#12358,#12359)
References

Affected packages