OESA-2026-2039

FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp.

Security Fix(es):

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., xfreerdp) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The gdi_SurfaceCommand_ClearCodec() handler does not call is_within_surface() to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled cmd->left/cmd->top (and subcodec rectangle offsets) to reach image copy routines that write into surface->data without bounds enforcement. The OOB write corrupts an adjacent gdiGfxSurface struct's codecs* pointer with attacker-controlled pixel data, and corruption of codecs* is sufficient to reach an indirect function pointer call (NSC_CONTEXT.decode at nsc.c:500) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.(CVE-2026-26955)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, planar_decompress_plane_rle() writes into pDstData at ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel without verifying that (nYDst+nSrcHeight) fits in the destination height or that (nXDst+nSrcWidth) fits in the destination stride. When TempFormat != DstFormat, pDstData becomes planar->pTempData (sized for the desktop), while nYDst is only validated against the surface by is_within_surface(). A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent NSC_CONTEXT struct's decode function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (nsc->decode = 0xFF414141FF414141). Version 3.23.0 fixes the vulnerability.(CVE-2026-26965)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdisurfacebits() function processes SURFACEBITSCOMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.(CVE-2026-31806)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a sizet underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a sizet variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % blocksize == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZEMAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.(CVE-2026-31883)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.(CVE-2026-31885)

FreeRDP is an open-source Remote Desktop Protocol (RDP) client. An integer underflow vulnerability exists in the implementation of its Progressive codec. By sending a specially crafted RDP packet, an attacker can trigger an underflow of a BYTE (unsigned 8-bit integer) variable, leading to undefined behavior (UB). This may cause the application to crash or enter an infinite loop, consuming excessive CPU resources and resulting in a denial-of-service (DoS) condition. The vulnerability stems from insufficient boundary checks on input data.(CVE-2026-33983)

FreeRDP is an open-source implementation of the Remote Desktop Protocol (RDP) client. A heap out-of-bounds write vulnerability exists in the resize_vbar_entry() function of its ClearCodec component when processing specific video data. An attacker can craft a malicious RDP packet to trigger this vulnerability, potentially leading to remote code execution or service crash.(CVE-2026-33984)