SB20260408117 - Fedora 43 update for freerdp

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260408117

SB20260408117 - Fedora 43 update for freerdp

Published: April 8, 2026

Security Bulletin ID SB20260408117
Severity
High
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 22% Medium 78%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Reachable assertion (CVE-ID: CVE-2026-33952)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to reachable assertion in rts_read_auth_verifier_no_checks() in libfreerdp/core/gateway/rts.c when processing RPC-over-HTTP gateway PDUs. A remote attacker can send a specially crafted PDU with an invalid auth_length field to cause a denial of service.

The issue is reachable during connection setup before authentication and affects clients using RDP Gateway transport.


2) Reachable assertion (CVE-ID: CVE-2026-33977)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to reachable assertion in freerdp_dsp_decode_ima_adpcm() and dsp_decode_ima_adpcm_sample() in libfreerdp/codec/dsp.c when processing RDPSND IMA ADPCM audio data from a server. A remote attacker can send a specially crafted audio block with an invalid initial step index to cause a denial of service.

Audio redirection must be enabled, which is the default configuration.


3) Out-of-bounds read (CVE-ID: CVE-2026-33982)

The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.

The vulnerability exists due to an out-of-bounds read in winpr_aligned_offset_recalloc() when processing a v3 persistent cache file with an entry larger than 64x64 pixels at 32bpp. A remote attacker can trick the victim into opening a crafted cache file to disclose sensitive information and cause a denial of service.

User interaction is required to process the crafted cache file.


4) Integer overflow (CVE-ID: CVE-2026-33983)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow or wraparound in progressive_decompress_tile_upgrade() when processing progressive codec tile data with changed quant values between passes. A remote attacker can send specially crafted progressive codec data to cause a denial of service.

User interaction is required for exploitation.


5) Heap-based buffer overflow (CVE-ID: CVE-2026-33984)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in resize_vbar_entry() in libfreerdp/codec/clear.c when processing ClearCodec band data from a malicious RDP server. A remote attacker can send crafted ClearCodec band data to execute arbitrary code.

User interaction is required to connect to a malicious RDP server, and exploitation depends on realloc failure under memory pressure.


6) Out-of-bounds read (CVE-ID: CVE-2026-33985)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in clear_decompress_glyph_data() in libfreerdp/codec/clear.c when processing a subsequent CLEARCODEC_FLAG_GLYPH_HIT call after a failed winpr_aligned_recalloc() operation. A remote attacker can send specially crafted ClearCodec glyph data to disclose sensitive information.

Pixel data from adjacent heap memory may be rendered to the screen. User interaction is required.


7) Heap-based buffer overflow (CVE-ID: CVE-2026-33986)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in yuv_ensure_buffer() in libfreerdp/codec/h264.c when processing crafted RDPGFX AVC420 frames from a malicious RDP server. A remote attacker can send crafted H.264 NAL units to execute arbitrary code.

User interaction is required to connect to a malicious RDP server.


8) Heap-based buffer overflow (CVE-ID: CVE-2026-33987)

The vulnerability allows a remote attacker to cause a denial of service or modify data.

The vulnerability exists due to a heap-based buffer overflow in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c when processing a crafted .bmc persistent cache file. A remote attacker can provide a specially crafted cache file to cause a denial of service or modify data.

User interaction is required to open or process the crafted persistent cache file.


9) Double free (CVE-ID: CVE-2026-33995)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to double free in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() in the Kerberos SSPI context cleanup path when handling NLA connection teardown after a failed authentication attempt. A remote attacker can trigger an authentication failure to cause a denial of service.

Only clients compiled with Kerberos support and running on systems where a Kerberos realm is configured are vulnerable.


Remediation

Install update from vendor's website.

References