SB20260408113 - Fedora 44 update for freerdp

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260408113

SB20260408113 - Fedora 44 update for freerdp

Published: April 8, 2026

Security Bulletin ID SB20260408113
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 13% Medium 63% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2026-29774)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in avc420_yuv_to_rgb in the AVC420/AVC444 YUV-to-RGB conversion path when processing a crafted WIRE_TO_SURFACE_PDU_1 containing out-of-range regionRects coordinates. A remote attacker can send a specially crafted malicious server response to cause a denial of service.

The issue is client-side and is triggered after the H.264 bitstream decodes successfully.


2) Out-of-bounds write (CVE-ID: CVE-2026-29775)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in bitmap_cache_put in the bitmap cache subsystem when processing a crafted CACHE_BITMAP_ORDER (Rev1) from a malicious server. A remote attacker can send a specially crafted CACHE_BITMAP_ORDER with cacheId equal to maxCells to cause a denial of service.

The issue is client-side and can also result in a 4-byte out-of-bounds read followed by heap corruption, with potential pointer overwrite depending on heap layout.


3) Integer underflow (CVE-ID: CVE-2026-29776)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer underflow in update_read_cache_bitmap_order() in libfreerdp/core/orders.c when processing a crafted bitmap cache order from the network. A remote attacker can send a specially crafted RDP update that causes excessive memory allocation and process termination to cause a denial of service.

User interaction is required, and exploitation occurs in the client while handling server-supplied RDP data.


4) Heap-based buffer overflow (CVE-ID: CVE-2026-31806)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in nsc_process_message() when processing SURFACE_BITS_COMMAND messages using NSCodec. A remote attacker can send a specially crafted RDP server message with oversized bitmap dimensions to execute arbitrary code.

The issue can be triggered when a FreeRDP client connects to a malicious RDP server.


5) Heap-based buffer overflow (CVE-ID: CVE-2026-31883)

The vulnerability allows a remote attacker to overwrite heap memory.

The vulnerability exists due to a heap-based buffer overflow in the IMA-ADPCM and MS-ADPCM audio decoders in libfreerdp/codec/dsp.c when processing crafted RDPSND audio format and wave data. A remote attacker can send specially crafted RDPSND audio data to overwrite heap memory.

Audio data is processed automatically during an RDP session when RDPSND is negotiated.


6) Division by zero (CVE-ID: CVE-2026-31884)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to division by zero in the MS-ADPCM and IMA-ADPCM decoders in libfreerdp/codec/dsp.c when processing RDPSND audio format negotiation with nBlockAlign set to 0. A remote attacker can send a specially crafted Server Audio Formats PDU followed by a Wave2 PDU to cause a denial of service.

User interaction is required.


7) Out-of-bounds read (CVE-ID: CVE-2026-31885)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in the MS-ADPCM and IMA-ADPCM decoders in dsp.c when processing crafted ADPCM audio data over the RDPSND channel. A remote attacker can send specially crafted audio data to disclose sensitive information.

User interaction is required.


8) Out-of-bounds read (CVE-ID: CVE-2026-31897)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in freerdp_bitmap_decompress_planar when processing a planar bitmap with SrcSize set to 0. A remote attacker can send a crafted RDPGFX Surface Command to disclose sensitive information.

User interaction is required, and the Bitmap Update PDU path is not affected because it validates the bitmap length before calling the decoder.


Remediation

Install update from vendor's website.

References