SB20260408118 - Fedora 42 update for freerdp
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Reachable assertion (CVE-ID: CVE-2026-33952)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to reachable assertion in rts_read_auth_verifier_no_checks() in libfreerdp/core/gateway/rts.c when processing RPC-over-HTTP gateway PDUs. A remote attacker can send a specially crafted PDU with an invalid auth_length field to cause a denial of service.
The issue is reachable during connection setup before authentication and affects clients using RDP Gateway transport.
2) Reachable assertion (CVE-ID: CVE-2026-33977)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to reachable assertion in freerdp_dsp_decode_ima_adpcm() and dsp_decode_ima_adpcm_sample() in libfreerdp/codec/dsp.c when processing RDPSND IMA ADPCM audio data from a server. A remote attacker can send a specially crafted audio block with an invalid initial step index to cause a denial of service.
Audio redirection must be enabled, which is the default configuration.
3) Out-of-bounds read (CVE-ID: CVE-2026-33982)
The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.
The vulnerability exists due to an out-of-bounds read in winpr_aligned_offset_recalloc() when processing a v3 persistent cache file with an entry larger than 64x64 pixels at 32bpp. A remote attacker can trick the victim into opening a crafted cache file to disclose sensitive information and cause a denial of service.
User interaction is required to process the crafted cache file.
4) Integer overflow (CVE-ID: CVE-2026-33983)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow or wraparound in progressive_decompress_tile_upgrade() when processing progressive codec tile data with changed quant values between passes. A remote attacker can send specially crafted progressive codec data to cause a denial of service.
User interaction is required for exploitation.
5) Heap-based buffer overflow (CVE-ID: CVE-2026-33984)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in resize_vbar_entry() in libfreerdp/codec/clear.c when processing ClearCodec band data from a malicious RDP server. A remote attacker can send crafted ClearCodec band data to execute arbitrary code.
User interaction is required to connect to a malicious RDP server, and exploitation depends on realloc failure under memory pressure.
6) Out-of-bounds read (CVE-ID: CVE-2026-33985)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in clear_decompress_glyph_data() in libfreerdp/codec/clear.c when processing a subsequent CLEARCODEC_FLAG_GLYPH_HIT call after a failed winpr_aligned_recalloc() operation. A remote attacker can send specially crafted ClearCodec glyph data to disclose sensitive information.
Pixel data from adjacent heap memory may be rendered to the screen. User interaction is required.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-33986)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in yuv_ensure_buffer() in libfreerdp/codec/h264.c when processing crafted RDPGFX AVC420 frames from a malicious RDP server. A remote attacker can send crafted H.264 NAL units to execute arbitrary code.
User interaction is required to connect to a malicious RDP server.
8) Heap-based buffer overflow (CVE-ID: CVE-2026-33987)
The vulnerability allows a remote attacker to cause a denial of service or modify data.
The vulnerability exists due to a heap-based buffer overflow in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c when processing a crafted .bmc persistent cache file. A remote attacker can provide a specially crafted cache file to cause a denial of service or modify data.
User interaction is required to open or process the crafted persistent cache file.
9) Double free (CVE-ID: CVE-2026-33995)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to double free in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() in the Kerberos SSPI context cleanup path when handling NLA connection teardown after a failed authentication attempt. A remote attacker can trigger an authentication failure to cause a denial of service.
Only clients compiled with Kerberos support and running on systems where a Kerberos realm is configured are vulnerable.
10) Out-of-bounds write (CVE-ID: CVE-2026-29774)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds write in avc420_yuv_to_rgb in the AVC420/AVC444 YUV-to-RGB conversion path when processing a crafted WIRE_TO_SURFACE_PDU_1 containing out-of-range regionRects coordinates. A remote attacker can send a specially crafted malicious server response to cause a denial of service.
The issue is client-side and is triggered after the H.264 bitstream decodes successfully.
11) Out-of-bounds write (CVE-ID: CVE-2026-29775)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds write in bitmap_cache_put in the bitmap cache subsystem when processing a crafted CACHE_BITMAP_ORDER (Rev1) from a malicious server. A remote attacker can send a specially crafted CACHE_BITMAP_ORDER with cacheId equal to maxCells to cause a denial of service.
The issue is client-side and can also result in a 4-byte out-of-bounds read followed by heap corruption, with potential pointer overwrite depending on heap layout.
12) Integer underflow (CVE-ID: CVE-2026-29776)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer underflow in update_read_cache_bitmap_order() in libfreerdp/core/orders.c when processing a crafted bitmap cache order from the network. A remote attacker can send a specially crafted RDP update that causes excessive memory allocation and process termination to cause a denial of service.
User interaction is required, and exploitation occurs in the client while handling server-supplied RDP data.
13) Heap-based buffer overflow (CVE-ID: CVE-2026-31806)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in nsc_process_message() when processing SURFACE_BITS_COMMAND messages using NSCodec. A remote attacker can send a specially crafted RDP server message with oversized bitmap dimensions to execute arbitrary code.
The issue can be triggered when a FreeRDP client connects to a malicious RDP server.
14) Heap-based buffer overflow (CVE-ID: CVE-2026-31883)
The vulnerability allows a remote attacker to overwrite heap memory.
The vulnerability exists due to a heap-based buffer overflow in the IMA-ADPCM and MS-ADPCM audio decoders in libfreerdp/codec/dsp.c when processing crafted RDPSND audio format and wave data. A remote attacker can send specially crafted RDPSND audio data to overwrite heap memory.
Audio data is processed automatically during an RDP session when RDPSND is negotiated.
15) Division by zero (CVE-ID: CVE-2026-31884)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in the MS-ADPCM and IMA-ADPCM decoders in libfreerdp/codec/dsp.c when processing RDPSND audio format negotiation with nBlockAlign set to 0. A remote attacker can send a specially crafted Server Audio Formats PDU followed by a Wave2 PDU to cause a denial of service.
User interaction is required.
16) Out-of-bounds read (CVE-ID: CVE-2026-31885)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the MS-ADPCM and IMA-ADPCM decoders in dsp.c when processing crafted ADPCM audio data over the RDPSND channel. A remote attacker can send specially crafted audio data to disclose sensitive information.
User interaction is required.
17) Out-of-bounds read (CVE-ID: CVE-2026-31897)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in freerdp_bitmap_decompress_planar when processing a planar bitmap with SrcSize set to 0. A remote attacker can send a crafted RDPGFX Surface Command to disclose sensitive information.
User interaction is required, and the Bitmap Update PDU path is not affected because it validates the bitmap length before calling the decoder.
Remediation
Install update from vendor's website.