SB20260408111 - Fedora 43 update for freerdp

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260408111

SB20260408111 - Fedora 43 update for freerdp

Published: April 8, 2026

Security Bulletin ID SB20260408111
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 18% Medium 73% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2026-26965)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in planar_decompress_plane_rle() in the PLANAR RLE decode path when processing a crafted RDP planar bitmap in the temp-buffer path. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.

User interaction is required because the victim must connect to a malicious RDP server.


2) Out-of-bounds write (CVE-ID: CVE-2026-26955)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in gdi_SurfaceCommand_ClearCodec() when processing an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.

User interaction is required because the victim must connect to a malicious RDP server.


3) Buffer Over-read (CVE-ID: CVE-2026-26271)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to buffer over-read in freerdp_image_copy_from_icon_data() when processing crafted RDP window icon data. A remote attacker can send specially crafted icon data to disclose sensitive information.

The issue is reachable over the network when a client processes icon data from an RDP server or a man-in-the-middle position.


4) Use-after-free (CVE-ID: CVE-2026-25997)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_clipboard_format_equal when processing clipboard format changes during auto-reconnect. A remote attacker can trigger a client reconnection sequence and concurrent clipboard activity to cause a denial of service and potentially execute arbitrary code.

The issue is client-side and occurs because the cliprdr channel thread frees lastSentFormats while the X11 event thread concurrently iterates it.


5) Use-after-free (CVE-ID: CVE-2026-25959)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_cliprdr_provide_data_ when processing clipboard format data responses concurrently with cached clipboard data clearing. A remote attacker can send a malicious clipboard data response from a server to cause a denial of service and potentially execute arbitrary code.

The issue is client-side and requires clipboard redirection support to be enabled.


6) Use-after-free (CVE-ID: CVE-2026-25955)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface when processing crafted RDPGFX surface updates from a malicious server. A remote attacker can send crafted surface create, delete, and repaint sequences to cause a denial of service and potentially execute arbitrary code.

Exploitation requires a client connection to a malicious RDP server with RAIL and RDPGFX support, and the issue is triggered in the X11 client with SoftwareGdi enabled.


7) Use-after-free (CVE-ID: CVE-2026-25954)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_rail_server_local_move_size when processing RAIL ServerLocalMoveSize PDUs concurrently with window delete orders. A remote attacker can send a sequence of crafted RAIL messages to cause a denial of service and potentially execute arbitrary code.

The issue is triggered by a race condition between the RAIL channel thread and the main thread in the X11 client.


8) Use-after-free (CVE-ID: CVE-2026-25953)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface and xf_rail_paint_surface when processing concurrent RDPGFX frame updates and fastpath window-delete orders. A remote attacker can send crafted RDPGFX PDUs and window-delete orders to cause a denial of service and potentially execute arbitrary code.

Exploitation requires a malicious RDP server to win a race between the DVC thread handling EndFrame updates and the main thread deleting the mapped window.


9) Use-after-free (CVE-ID: CVE-2026-25952)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_SetWindowMinMaxInfo when processing RAIL ServerMinMaxInfo orders concurrently with window delete orders. A remote attacker can send crafted RAIL orders to cause a denial of service and potentially execute arbitrary code.

The issue is triggered on the client side by a malicious server due to a race between the RAIL channel thread and the main thread.


10) Out-of-bounds read (CVE-ID: CVE-2026-25942)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in xf_rail_server_execute_result when processing a server-supplied TS_RAIL_ORDER_EXEC_RESULT PDU. A remote attacker can send a specially crafted execResult value to cause a denial of service.

The issue is triggered when the server provides an execResult value of 7 or greater, which is used as an unchecked index into the global error_code_names array.


11) Out-of-bounds read (CVE-ID: CVE-2026-25941)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu in the RDPGFX channel when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual packet data. A remote attacker can send a specially crafted RDP server response to disclose sensitive information.

User interaction is required because the victim must connect to a malicious server.


Remediation

Install update from vendor's website.

References