freerdp-2.11.7-7.el9_8.3
エラータID: AXSA:2026-1208:22
以下項目について対処しました。
[Security Fix]
- FreeRDP には、メモリ領域の解放後利用の問題があるため、リモート
の攻撃者により、情報の漏洩、データ破壊、およびサービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2026-25952)
- FreeRDP には、メモリ領域の二重解放の問題があるため、リモートの
攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-26986)
- FreeRDP には、整数オーバーフローの問題があるため、リモートの
攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-27951)
- FreeRDP には、メモリ領域の範囲外書き込みの問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2026-29775)
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-31883)
- FreeRDP には、ゼロ除算の問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-31884)
- FreeRDP には、メモリ領域の範囲外読み取りの問題があるため、
リモートの攻撃者により、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2026-31885)
- FreeRDP には、メモリ領域の範囲外読み取りの問題があるため、
リモートの攻撃者により、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2026-33985)
パッケージをアップデートしてください。
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.
N/A
SRPMS
- freerdp-2.11.7-7.el9_8.3.src.rpm
MD5: 9601b30bda2216983624ada3b5bf4b98
SHA-256: 55f7b80722f3c448352bb891143c657ce2defe1bd2e8cd2e4adf23993e983564
Size: 7.05 MB
Asianux Server 9 for x86_64
- freerdp-2.11.7-7.el9_8.3.x86_64.rpm
MD5: 2c2a6c5e8ee6942ed71715340fccd474
SHA-256: 1b7e4616c97c47517eb1d23b9c89ceec5c67bd7d2a7b5c4ed5442bd0b6d85584
Size: 112.76 kB - freerdp-devel-2.11.7-7.el9_8.3.i686.rpm
MD5: ed83627fc0d3f096c41f096a63a23173
SHA-256: 7eeeea10e42b5a896f8578e7548069ca20850a34f2d9d2536bbb76b2eed22f18
Size: 176.80 kB - freerdp-devel-2.11.7-7.el9_8.3.x86_64.rpm
MD5: 259b4aa2e577b577af7832a79036dbbc
SHA-256: c2a55233282217d551ca0ae9df23d30c35908f45841f29a193eef5ad1b22b3c3
Size: 176.92 kB - freerdp-libs-2.11.7-7.el9_8.3.i686.rpm
MD5: 09a264faac8f94bc7b801d2f7a44192f
SHA-256: 1daab969222a6edc647a5b26aa5c9edfba8feee242b87c176ce7fe5c76d72873
Size: 852.81 kB - freerdp-libs-2.11.7-7.el9_8.3.x86_64.rpm
MD5: 831afc51a2d359d0d4ac46acb61440d8
SHA-256: cc3e2751d391c4dfd92d5511f351400416465ee7c4858902a17fec4e2838eb82
Size: 907.93 kB - libwinpr-2.11.7-7.el9_8.3.i686.rpm
MD5: 5fc9f83980dc1a46b808c6990fa12ae0
SHA-256: b49d0b0c6399e2ce189330dccfacd80b4d5a349ba9b0d1af0360ed1b87f052f9
Size: 341.97 kB - libwinpr-2.11.7-7.el9_8.3.x86_64.rpm
MD5: b2e54ebcce81ee34b7c47fbf8a78bfac
SHA-256: 13de1fe6f4e661757e74307e9bd3332f7eb39c3a3ad3a8cc481338fced5f493d
Size: 356.24 kB - libwinpr-devel-2.11.7-7.el9_8.3.i686.rpm
MD5: ecca3a590e40b18a2b59ad12033a3f66
SHA-256: 8c410003e27b5e8eef1a4fb4a91bece5578d40fac71dd8ddcf144c019cf5029e
Size: 182.69 kB - libwinpr-devel-2.11.7-7.el9_8.3.x86_64.rpm
MD5: 67b3a058092e907d17b662036ea51ba7
SHA-256: 058fd27bd1a46e6c5977aadc6f4ac73769de885b629112d9d56a30d436dc7a86
Size: 182.71 kB