freerdp-2.11.7-1.el9_7.7
エラータID: AXSA:2026-628:18
以下項目について対処しました。
[Security Fix]
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、情報の漏洩、データ破壊、およびサービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2026-25952)
- FreeRDP には、メモリ領域の二重解放の問題があるため、リモートの
攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-26986)
- FreeRDP には、整数オーバーフローの問題があるため、リモートの
攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-27951)
- FreeRDP には、メモリ領域の範囲外書き込みの問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2026-29775)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-31883)
- FreeRDP には、ゼロ除算の問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-31884)
- FreeRDP には、メモリ領域の範囲外読み取りの問題があるため、
リモートの攻撃者により、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2026-31885)
- FreeRDP には、メモリ領域の範囲外読み取りの問題があるため、
リモートの攻撃者により、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2026-33985)
パッケージをアップデートしてください。
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.
N/A
SRPMS
- freerdp-2.11.7-1.el9_7.7.src.rpm
MD5: 53f5c2fd4a053a96dbbcc267a62f93de
SHA-256: a385cf9cb967fed8ff29adb2babe730f8c26acfab165ec682e08673b0041100d
Size: 7.04 MB
Asianux Server 9 for x86_64
- freerdp-2.11.7-1.el9_7.7.x86_64.rpm
MD5: dc41d2ece87ca25260cfd79948700ec3
SHA-256: 7d05914b79334d404948cfcb6898f4264ecee98167cff0a6b61a13f9c71aee8a
Size: 112.05 kB - freerdp-devel-2.11.7-1.el9_7.7.i686.rpm
MD5: 49e3079226307e10b7b38fccce4e0432
SHA-256: 4c1f9199c5653c455f7120d7dadb2ba2b4e7b19845f2953bffe8a94824386c59
Size: 176.53 kB - freerdp-devel-2.11.7-1.el9_7.7.x86_64.rpm
MD5: 18800d26b7b928fbd53a3f60958b461e
SHA-256: e707840b7a577a0d0f3ba5a944f7c1506976d233ec5bbe78733c444c8d081859
Size: 176.55 kB - freerdp-libs-2.11.7-1.el9_7.7.i686.rpm
MD5: 8b1175030c9e38b9eebc3510d37990ce
SHA-256: 217096f87e0be93d1e3bbc5447a9a686d219e598f34fdbf77fe26bf74b252b5e
Size: 852.11 kB - freerdp-libs-2.11.7-1.el9_7.7.x86_64.rpm
MD5: b6d6d4e5021f8f69e622a5812000962c
SHA-256: 06852ac24ee80f3b040fe64c5fefc96bcf0a6b37464bdfb16ec1dadc5e19bdd8
Size: 907.52 kB - libwinpr-2.11.7-1.el9_7.7.i686.rpm
MD5: e06e760de5814c8cf7a086207ab233c1
SHA-256: 565827e16f90bf74d3f5116e841fa3d25b70fa8d4d30db2dab6d0327cef0e1d6
Size: 341.96 kB - libwinpr-2.11.7-1.el9_7.7.x86_64.rpm
MD5: a9b90bc09764b5882dc44d3190eeb7ff
SHA-256: 8114922108564634db9d2fd8c272420dc6637024d41aa713a2aa94db5d6af6f1
Size: 355.97 kB - libwinpr-devel-2.11.7-1.el9_7.7.i686.rpm
MD5: 08efe72ef50eecc3450674a93318c45f
SHA-256: 6bb071165bc84f04ea771a81f64fe08e4df208e2fadcf4ca75d82ac2e41fd47c
Size: 182.44 kB - libwinpr-devel-2.11.7-1.el9_7.7.x86_64.rpm
MD5: 76742be5b1e75ffff28a5869eb94c6dd
SHA-256: c871440f4e0719add8b039b0ebd925b796c7a1cd082584fe494b4051d53574a9
Size: 182.41 kB