freerdp-2.11.7-6.el8_10
エラータID: AXSA:2026-416:12
リリース日:
2026/04/13 Monday - 20:16
題名:
freerdp-2.11.7-6.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、メモリ破壊、およびサービス
拒否攻撃 (クラッシュの発生) を可能とする脆弱性が存在します。
(CVE-2026-22852)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-22854)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、情報の漏洩、データ破壊、およびサービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2026-22856)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2026-23732)
- FreeRDP には、NULL ポインタデリファレンスの問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2026-23948)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24491)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2026-24675)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24676)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2026-24679)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24681)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24683)
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-24684)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、任意のコードの実行を可能とする
脆弱性が存在します。(CVE-2026-31806)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-22852
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
CVE-2026-22854
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
CVE-2026-22856
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
CVE-2026-23732
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
CVE-2026-23948
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
CVE-2026-24491
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
CVE-2026-24675
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
CVE-2026-24676
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
CVE-2026-24679
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
CVE-2026-24681
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
CVE-2026-24683
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
CVE-2026-24684
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
CVE-2026-31806
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
追加情報:
N/A
ダウンロード:
SRPMS
- freerdp-2.11.7-6.el8_10.src.rpm
MD5: a38a0965653cc34b9406ed67bfc744df
SHA-256: 6a1811393a0dd4ac14f185247cc5f677a1bc8e716e1f3a9de64892bb87f15b4c
Size: 7.02 MB
Asianux Server 8 for x86_64
- freerdp-2.11.7-6.el8_10.x86_64.rpm
MD5: 0b159a5880f6e581580a70b91ecf3d59
SHA-256: 8f41fd075c7ff598912ef3ccacef1f424d09fea727ca72b025df287da7f4ad90
Size: 118.07 kB - freerdp-devel-2.11.7-6.el8_10.i686.rpm
MD5: a29d223f0185f43b59cbd9e03f219bc6
SHA-256: 95cfcb7a75a30568d17559fd527be77b68c9b99a85fab434ff5d7953d00ca8c5
Size: 147.28 kB - freerdp-devel-2.11.7-6.el8_10.x86_64.rpm
MD5: 8fa7e261418a9a189748dd9ff72d527f
SHA-256: 48d7dc4aedbf8787fb56fc05f495217ce2ffa6464aaf21c4dd7e03653f98ba6e
Size: 147.30 kB - freerdp-libs-2.11.7-6.el8_10.i686.rpm
MD5: c4b8cf1a383616f20fab02e80dfef676
SHA-256: 410ec57e4621da20d7d5c1f8e94fbd37655cbccdcacb6e46b96d5f27109e626a
Size: 877.05 kB - freerdp-libs-2.11.7-6.el8_10.x86_64.rpm
MD5: a6ecb57f222a48a65bd54bf0bbaa2ad0
SHA-256: 65e2e609bb6a452a8ee863d628eb4354f5430e6b3085ddb81433e8597d208d51
Size: 928.96 kB - libwinpr-2.11.7-6.el8_10.i686.rpm
MD5: 508fa06c3105040a989e4c632ffac7a5
SHA-256: 10183da907a29256e24cd314b54c97f3755d23022c5c3eeb5805fce07f26f64e
Size: 362.09 kB - libwinpr-2.11.7-6.el8_10.x86_64.rpm
MD5: f9160b3f76dbb6f76e71c5e81236e9d6
SHA-256: fa46f658a8841a6601a3a7c2355b89fa7b53974c3c1dea5b5de3a37b27878368
Size: 378.89 kB - libwinpr-devel-2.11.7-6.el8_10.i686.rpm
MD5: 18d395dbccaa7463f879ed11f4532d91
SHA-256: f4bbb891248ef3b2736d242c9a35e4e750327b7cce87dbaa604e66d93b4b55d5
Size: 175.42 kB - libwinpr-devel-2.11.7-6.el8_10.x86_64.rpm
MD5: 220190ad398d380c3d398dd9552ce230
SHA-256: 3a28700fc5d421728d6227df908519842edc9bb32bd06ffe54778b11d44fdaf5
Size: 175.40 kB
English