freerdp-2.11.7-9.el8_10
エラータID: AXSA:2026-607:17
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox.
Security Fix(es):
* freerdp: FreeRDP: Denial of service due to use-after-free vulnerability (CVE-2026-25952)
* freerdp: FreeRDP: Denial of Service via double free vulnerability during disconnect (CVE-2026-26986)
* freerdp: FreeRDP: Denial of Service via endless blocking loop in Stream_EnsureCapacity (CVE-2026-27951)
* freerdp: FreeRDP has a heap-buffer-overflow in bitmap_cache_put via OOB cacheId (CVE-2026-29775)
* freerdp: FreeRDP has an out-of-bounds read in ADPCM decoders due to missing predictor/step_index bounds checks (CVE-2026-31885)
* freerdp: FreeRDP has a division-by-zero in ADPCM decoders when `nBlockAlign` is 0 (CVE-2026-31884)
* freerdp: FreeRDP: Denial of Service via crafted audio data in RDP (CVE-2026-31883)
* FreeRDP: FreeRDP: Information disclosure via heap memory out of bounds read (CVE-2026-33985)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-25952
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
CVE-2026-26986
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
CVE-2026-27951
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.
CVE-2026-29775
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
CVE-2026-31883
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
CVE-2026-31884
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
CVE-2026-31885
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
CVE-2026-33985
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.
Update packages.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.
N/A
SRPMS
- freerdp-2.11.7-9.el8_10.src.rpm
MD5: 9877583cc33eae0659a5644b7769d7b1
SHA-256: 10f9366597cebc8c286e8da985d3947a3c067e59b6c9b7333f578dce7b88b0f8
Size: 7.04 MB
Asianux Server 8 for x86_64
- freerdp-2.11.7-9.el8_10.x86_64.rpm
MD5: bc67ebaaeab2130edf8c284c1cc58245
SHA-256: f9046e3654b6b5f300ca6f71ea8f7e7a19e81831dfa0f9a37619cb20a9b1b027
Size: 119.99 kB - freerdp-devel-2.11.7-9.el8_10.i686.rpm
MD5: b7687717c75f19b4c114659b5c3645f9
SHA-256: 4d7c2c2b035fef62d2fdddf12eec0272d45e0689626ff25b302e766df6f641cb
Size: 148.14 kB - freerdp-devel-2.11.7-9.el8_10.x86_64.rpm
MD5: 58983353a62022f026b9ab6bc4021772
SHA-256: 7b8d7da7b32e26125a8eaf103ab6bb54318d84e5f0b24217a3314bc310d56c59
Size: 148.17 kB - freerdp-libs-2.11.7-9.el8_10.i686.rpm
MD5: 16d431d9ab6b5e77e16912bee9863f5b
SHA-256: 5875646777661332f9bedaf51f28f90d3cd698f7e3b09377ec28de4c9a2b3a59
Size: 878.54 kB - freerdp-libs-2.11.7-9.el8_10.x86_64.rpm
MD5: 0c558749dc745e14c7b0d05f57093c36
SHA-256: 81b2625ea045af37dddd869f67ba153a1ea3ebc195f9e9c57c5dfb32cbd17b0d
Size: 930.40 kB - libwinpr-2.11.7-9.el8_10.i686.rpm
MD5: c44d064f6502d51bf72b38f4f0a42489
SHA-256: 16470eb69bea0d8eafd2c3a8f15e8315595da03c6926475e4b3a91b983e4a804
Size: 363.59 kB - libwinpr-2.11.7-9.el8_10.x86_64.rpm
MD5: f019ffa5fed97b51af48284690bb0501
SHA-256: 7b9a9ee15597f2a844d8659e405962cbc3cd48e68242ec7ccd5a33abb7bead58
Size: 379.91 kB - libwinpr-devel-2.11.7-9.el8_10.i686.rpm
MD5: e59852a9ebdf9eba5994507ad78ef59b
SHA-256: 4505a58fd6b4b552f63aa505d9e822a11fb16ff7d985b50a57f8fcabc96be6f3
Size: 176.29 kB - libwinpr-devel-2.11.7-9.el8_10.x86_64.rpm
MD5: 247fc521b209879b59a04764a53b779f
SHA-256: 2f523f6a39997dd5038aa1534bfc51b985291495723b8ea81537bf501850653c
Size: 176.28 kB