SB20260408109 - Fedora 42 update for freerdp
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-26965)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in planar_decompress_plane_rle() in the PLANAR RLE decode path when processing a crafted RDP planar bitmap in the temp-buffer path. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.
User interaction is required because the victim must connect to a malicious RDP server.
2) Out-of-bounds write (CVE-ID: CVE-2026-26955)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in gdi_SurfaceCommand_ClearCodec() when processing an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.
User interaction is required because the victim must connect to a malicious RDP server.
3) Buffer Over-read (CVE-ID: CVE-2026-26271)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to buffer over-read in freerdp_image_copy_from_icon_data() when processing crafted RDP window icon data. A remote attacker can send specially crafted icon data to disclose sensitive information.
The issue is reachable over the network when a client processes icon data from an RDP server or a man-in-the-middle position.
4) Use-after-free (CVE-ID: CVE-2026-25997)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_clipboard_format_equal when processing clipboard format changes during auto-reconnect. A remote attacker can trigger a client reconnection sequence and concurrent clipboard activity to cause a denial of service and potentially execute arbitrary code.
The issue is client-side and occurs because the cliprdr channel thread frees lastSentFormats while the X11 event thread concurrently iterates it.
5) Use-after-free (CVE-ID: CVE-2026-25959)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_cliprdr_provide_data_ when processing clipboard format data responses concurrently with cached clipboard data clearing. A remote attacker can send a malicious clipboard data response from a server to cause a denial of service and potentially execute arbitrary code.
The issue is client-side and requires clipboard redirection support to be enabled.
6) Use-after-free (CVE-ID: CVE-2026-25955)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface when processing crafted RDPGFX surface updates from a malicious server. A remote attacker can send crafted surface create, delete, and repaint sequences to cause a denial of service and potentially execute arbitrary code.
Exploitation requires a client connection to a malicious RDP server with RAIL and RDPGFX support, and the issue is triggered in the X11 client with SoftwareGdi enabled.
7) Use-after-free (CVE-ID: CVE-2026-25954)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_rail_server_local_move_size when processing RAIL ServerLocalMoveSize PDUs concurrently with window delete orders. A remote attacker can send a sequence of crafted RAIL messages to cause a denial of service and potentially execute arbitrary code.
The issue is triggered by a race condition between the RAIL channel thread and the main thread in the X11 client.
8) Use-after-free (CVE-ID: CVE-2026-25953)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface and xf_rail_paint_surface when processing concurrent RDPGFX frame updates and fastpath window-delete orders. A remote attacker can send crafted RDPGFX PDUs and window-delete orders to cause a denial of service and potentially execute arbitrary code.
Exploitation requires a malicious RDP server to win a race between the DVC thread handling EndFrame updates and the main thread deleting the mapped window.
9) Use-after-free (CVE-ID: CVE-2026-25952)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_SetWindowMinMaxInfo when processing RAIL ServerMinMaxInfo orders concurrently with window delete orders. A remote attacker can send crafted RAIL orders to cause a denial of service and potentially execute arbitrary code.
The issue is triggered on the client side by a malicious server due to a race between the RAIL channel thread and the main thread.
10) Out-of-bounds read (CVE-ID: CVE-2026-25942)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in xf_rail_server_execute_result when processing a server-supplied TS_RAIL_ORDER_EXEC_RESULT PDU. A remote attacker can send a specially crafted execResult value to cause a denial of service.
The issue is triggered when the server provides an execResult value of 7 or greater, which is used as an unchecked index into the global error_code_names array.
11) Out-of-bounds read (CVE-ID: CVE-2026-25941)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu in the RDPGFX channel when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual packet data. A remote attacker can send a specially crafted RDP server response to disclose sensitive information.
User interaction is required because the victim must connect to a malicious server.
Remediation
Install update from vendor's website.