freerdp-2.11.7-1.el9_7.5
エラータID: AXSA:2026-397:10
リリース日:
2026/04/03 Friday - 16:36
題名:
freerdp-2.11.7-1.el9_7.5
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、メモリ破壊、およびサービス
拒否攻撃 (クラッシュの発生) を可能とする脆弱性が存在します。
(CVE-2026-22852)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-22854)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、情報の漏洩、データ破壊、およびサービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2026-22856)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2026-23732)
- FreeRDP には、NULL ポインタデリファレンスの問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2026-23948)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24491)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2026-24675)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24676)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2026-24679)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24681)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24683)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24684)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、任意のコードの実行を可能とする
脆弱性が存在します。(CVE-2026-31806)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-22852
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
CVE-2026-22854
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
CVE-2026-22856
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
CVE-2026-23732
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
CVE-2026-23948
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
CVE-2026-24491
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
CVE-2026-24675
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
CVE-2026-24676
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
CVE-2026-24679
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
CVE-2026-24681
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
CVE-2026-24683
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
CVE-2026-24684
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
CVE-2026-31806
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
追加情報:
N/A
ダウンロード:
SRPMS
- freerdp-2.11.7-1.el9_7.5.src.rpm
MD5: 10839f303973a83a1c89a90ae2cd2c65
SHA-256: 2f9aecf43f3cd56505c35725e8fe19ed521703839ba0ef488feb2fe4dc80c099
Size: 7.02 MB
Asianux Server 9 for x86_64
- freerdp-2.11.7-1.el9_7.5.x86_64.rpm
MD5: f2abf3962d9df68901f5318b52604c46
SHA-256: 270087a4e83e8efa0981aaf719af21936bc97eda5bf4c18c81e47eda9b9ba2fe
Size: 111.50 kB - freerdp-devel-2.11.7-1.el9_7.5.i686.rpm
MD5: d07411aec78741165cb6e9d8550681eb
SHA-256: 4854624e825b6c8245281523bcd00b5993dc4cba9205184b9b8f4f709929fbff
Size: 175.79 kB - freerdp-devel-2.11.7-1.el9_7.5.x86_64.rpm
MD5: 6bbcf0a65a1d6a6f4aeddf6ca5786e76
SHA-256: 1e0354243c48fdd9da22e6c14c00c8cc95c06ed8cef19e8643376cf7d2050d33
Size: 175.92 kB - freerdp-libs-2.11.7-1.el9_7.5.i686.rpm
MD5: 7c15056288e24c9d9f664017c0c5eee5
SHA-256: ba73f2d739e373fab8726911d77a72260875401b46d959bd3e5d82f8d01babea
Size: 850.88 kB - freerdp-libs-2.11.7-1.el9_7.5.x86_64.rpm
MD5: de2dd964cb9d3b84e2628c6cbc39dfff
SHA-256: fa72cf7e9402147af5c8dec5f6477858935134a6a4774fd5795583ae0f9c66b6
Size: 905.94 kB - libwinpr-2.11.7-1.el9_7.5.i686.rpm
MD5: fc82d5a70b21b028a7d9c79aea80ac03
SHA-256: 4517a743b6cf4f38b46d1089ad371c20cf007b92c7c6c1eef6bb249163e06c0d
Size: 341.03 kB - libwinpr-2.11.7-1.el9_7.5.x86_64.rpm
MD5: 3f6ec09f43cc580b7e03ea9cd0c21cac
SHA-256: 0d2b0c5e716d247be41f0ad2e3bd16409f72a0e2799809dadab92dcb01e6e797
Size: 353.59 kB - libwinpr-devel-2.11.7-1.el9_7.5.i686.rpm
MD5: dd97587ec86c28b867d65e2eb02d3291
SHA-256: ba9396cb6a877f710decaf387e4b7f2a5c5f4f9c8c16a43529f20e21a06acca7
Size: 181.66 kB - libwinpr-devel-2.11.7-1.el9_7.5.x86_64.rpm
MD5: 77338f3fc6da28ff49e5b810b94d2afe
SHA-256: 3666624d13f5d66fa4bc36c1bbd5ae6002c0b0d02691c089df99387f81d967ae
Size: 181.66 kB
English