SB20260408123 - openEuler 20.03 LTS SP4 update for freerdp
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2026-22852)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a boundary error when processing untrusted input within the audin_process_formats() function. A remote attacker can trick the victim into connecting to a malicious server, trigger an out-of-bounds write and execute arbitrary code on the target system.
2) Heap-based buffer overflow (CVE-ID: CVE-2026-22854)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a boundary error in drive_process_irp_read() function. A remote attacker can trick the victim into connecting to a malicious server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
3) Heap-based buffer overflow (CVE-ID: CVE-2026-22855)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a boundary error in smartcard_unpack_set_attrib_call() function. A remote attacker can trick the victim into connecting to a malicious server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
4) Use-after-free (CVE-ID: CVE-2026-22856)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a use-after-free error in create_irp_thread() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
5) Use-after-free (CVE-ID: CVE-2026-22857)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a use-after-free error in irp_thread_func() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
6) Out-of-bounds read (CVE-ID: CVE-2026-22859)
The vulnerability allows a remote attacker to perform a denial of service attack.The vulnerability exists due to a boundary condition within the urb_select_configuration() function. A remote attacker can trick the victim into connecting to a malicious server, trigger an out-of-bounds read error and crash the application.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-23530)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in planar_decompress_plane_rle. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Heap-based buffer overflow (CVE-ID: CVE-2026-23531)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in clear_decompress. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Heap-based buffer overflow (CVE-ID: CVE-2026-23532)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in gdi_SurfaceToSurface. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Heap-based buffer overflow (CVE-ID: CVE-2026-23533)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in clear_decompress_residual_data. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Heap-based buffer overflow (CVE-ID: CVE-2026-23534)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in clear_decompress_bands_data. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Heap-based buffer overflow (CVE-ID: CVE-2026-23732)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Glyph_Alloc. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Heap-based buffer overflow (CVE-ID: CVE-2026-23883)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in update_pointer_new. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Heap-based buffer overflow (CVE-ID: CVE-2026-23884)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in gdi_set_bounds. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Use-after-free (CVE-ID: CVE-2026-24491)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a use-after-free error in video_timer() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
16) Use-after-free (CVE-ID: CVE-2026-24675)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a use-after-free error in urb_select_interface() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
17) Use-after-free (CVE-ID: CVE-2026-24676)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in audio_format_compatible() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
18) Heap-based buffer overflow (CVE-ID: CVE-2026-24679)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability exists due to a boundary error in urb_select_interface() function. A remote attacker can trick the victim into connecting to a malicious server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
19) Use-after-free (CVE-ID: CVE-2026-24681)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a use-after-free error in urb_bulk_transfer_cb() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
20) Heap-based buffer overflow (CVE-ID: CVE-2026-24682)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in audio_formats_free() function. A remote attacker can trick the victim into connecting to a malicious server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
21) Use-after-free (CVE-ID: CVE-2026-24683)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in ainput_send_input_event() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
22) Use-after-free (CVE-ID: CVE-2026-24684)
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists due to a use-after-free error in play_thread() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.
23) Out-of-bounds read (CVE-ID: CVE-2026-25941)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu in the RDPGFX channel when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual packet data. A remote attacker can send a specially crafted RDP server response to disclose sensitive information.
User interaction is required because the victim must connect to a malicious server.
24) Use-after-free (CVE-ID: CVE-2026-25997)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_clipboard_format_equal when processing clipboard format changes during auto-reconnect. A remote attacker can trigger a client reconnection sequence and concurrent clipboard activity to cause a denial of service and potentially execute arbitrary code.
The issue is client-side and occurs because the cliprdr channel thread frees lastSentFormats while the X11 event thread concurrently iterates it.
25) Buffer Over-read (CVE-ID: CVE-2026-26271)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to buffer over-read in freerdp_image_copy_from_icon_data() when processing crafted RDP window icon data. A remote attacker can send specially crafted icon data to disclose sensitive information.
The issue is reachable over the network when a client processes icon data from an RDP server or a man-in-the-middle position.
26) Use-after-free (CVE-ID: CVE-2026-26986)
The vulnerability allows a remote user to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in rail_window_free in the X11 RAIL window handling code when processing a server-supplied window create order and freeing RAIL window entries during disconnect. A remote user can send a specially crafted window order to cause a denial of service and potentially execute arbitrary code.
One server-triggered exploitation path requires the builtin Unicode backend to be enabled, where malformed UTF-16 window title data causes title conversion to fail and leaves a dangling hash table entry until disconnect.
27) Reachable assertion (CVE-ID: CVE-2026-27015)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to reachable assertion in smartcard_unpack_read_size_align() in libfreerdp/utils/smartcard_pack.c when parsing crafted smartcard IOCTL data from an RDP server. A remote attacker can send a specially crafted SCARD_IOCTL_TRANSMIT request to cause a denial of service.
Smartcard redirection must be enabled, and user interaction is required for the client to connect to a malicious RDP server.
Remediation
Install update from vendor's website.