{"schema_version":"1.7.2","id":"OESA-2026-2039","modified":"2026-04-25T05:48:56Z","published":"2026-04-25T05:48:56Z","upstream":["CVE-2026-26955","CVE-2026-26965","CVE-2026-31806","CVE-2026-31883","CVE-2026-31885","CVE-2026-33983","CVE-2026-33984"],"summary":"freerdp security update","details":"FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp.\r\n\r\nSecurity Fix(es):\n\nFreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.(CVE-2026-26955)\n\nFreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and  on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.(CVE-2026-26965)\n\nFreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0,  the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.(CVE-2026-31806)\n\nFreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.(CVE-2026-31883)\n\nFreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.(CVE-2026-31885)\n\nFreeRDP is an open-source Remote Desktop Protocol (RDP) client. An integer underflow vulnerability exists in the implementation of its Progressive codec. By sending a specially crafted RDP packet, an attacker can trigger an underflow of a BYTE (unsigned 8-bit integer) variable, leading to undefined behavior (UB). This may cause the application to crash or enter an infinite loop, consuming excessive CPU resources and resulting in a denial-of-service (DoS) condition. The vulnerability stems from insufficient boundary checks on input data.(CVE-2026-33983)\n\nFreeRDP is an open-source implementation of the Remote Desktop Protocol (RDP) client. A heap out-of-bounds write vulnerability exists in the `resize_vbar_entry()` function of its ClearCodec component when processing specific video data. An attacker can craft a malicious RDP packet to trigger this vulnerability, potentially leading to remote code execution or service crash.(CVE-2026-33984)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"freerdp","purl":"pkg:rpm/openEuler/freerdp&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.11.8-3.oe2403"}]}],"ecosystem_specific":{"aarch64":["freerdp-2.11.8-3.oe2403.aarch64.rpm","freerdp-debuginfo-2.11.8-3.oe2403.aarch64.rpm","freerdp-debugsource-2.11.8-3.oe2403.aarch64.rpm","freerdp-devel-2.11.8-3.oe2403.aarch64.rpm","freerdp-help-2.11.8-3.oe2403.aarch64.rpm","libwinpr-2.11.8-3.oe2403.aarch64.rpm","libwinpr-devel-2.11.8-3.oe2403.aarch64.rpm"],"src":["freerdp-2.11.8-3.oe2403.src.rpm"],"x86_64":["freerdp-2.11.8-3.oe2403.x86_64.rpm","freerdp-debuginfo-2.11.8-3.oe2403.x86_64.rpm","freerdp-debugsource-2.11.8-3.oe2403.x86_64.rpm","freerdp-devel-2.11.8-3.oe2403.x86_64.rpm","freerdp-help-2.11.8-3.oe2403.x86_64.rpm","libwinpr-2.11.8-3.oe2403.x86_64.rpm","libwinpr-devel-2.11.8-3.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2039"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26955"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26965"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31806"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31883"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31885"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33983"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33984"}],"database_specific":{"severity":"Critical"}}