SB20260408155 - Ubuntu update for freerdp3

Description

This security bulletin contains information about 32 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2026-27951)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in Stream_EnsureCapacity when increasing stream allocation capacity. A remote attacker can trigger allocation growth that overflows SIZE_MAX to cause a denial of service.

Practical exploitation only works on 32-bit systems where the available physical memory is greater than or equal to SIZE_MAX.

2) Use-after-free (CVE-ID: CVE-2026-27950)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in update_pointer_new(SDL) when handling crafted pointer updates in the SDL2 implementation. A remote attacker can trigger the vulnerable pointer handling flow to cause a denial of service.

Only environments using the SDL2 code path are affected.

3) Reachable assertion (CVE-ID: CVE-2026-27015)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to reachable assertion in smartcard_unpack_read_size_align() in libfreerdp/utils/smartcard_pack.c when parsing crafted smartcard IOCTL data from an RDP server. A remote attacker can send a specially crafted SCARD_IOCTL_TRANSMIT request to cause a denial of service.

Smartcard redirection must be enabled, and user interaction is required for the client to connect to a malicious RDP server.

4) Use-after-free (CVE-ID: CVE-2026-26986)

The vulnerability allows a remote user to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in rail_window_free in the X11 RAIL window handling code when processing a server-supplied window create order and freeing RAIL window entries during disconnect. A remote user can send a specially crafted window order to cause a denial of service and potentially execute arbitrary code.

One server-triggered exploitation path requires the builtin Unicode backend to be enabled, where malformed UTF-16 window title data causes title conversion to fail and leaves a dangling hash table entry until disconnect.

5) Out-of-bounds write (CVE-ID: CVE-2026-26965)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in planar_decompress_plane_rle() in the PLANAR RLE decode path when processing a crafted RDP planar bitmap in the temp-buffer path. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.

User interaction is required because the victim must connect to a malicious RDP server.

6) Out-of-bounds write (CVE-ID: CVE-2026-26955)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to out-of-bounds write in gdi_SurfaceCommand_ClearCodec() when processing an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.

User interaction is required because the victim must connect to a malicious RDP server.

7) Buffer Over-read (CVE-ID: CVE-2026-26271)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to buffer over-read in freerdp_image_copy_from_icon_data() when processing crafted RDP window icon data. A remote attacker can send specially crafted icon data to disclose sensitive information.

The issue is reachable over the network when a client processes icon data from an RDP server or a man-in-the-middle position.

8) Use-after-free (CVE-ID: CVE-2026-25997)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_clipboard_format_equal when processing clipboard format changes during auto-reconnect. A remote attacker can trigger a client reconnection sequence and concurrent clipboard activity to cause a denial of service and potentially execute arbitrary code.

The issue is client-side and occurs because the cliprdr channel thread frees lastSentFormats while the X11 event thread concurrently iterates it.

9) Use-after-free (CVE-ID: CVE-2026-25959)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_cliprdr_provide_data_ when processing clipboard format data responses concurrently with cached clipboard data clearing. A remote attacker can send a malicious clipboard data response from a server to cause a denial of service and potentially execute arbitrary code.

The issue is client-side and requires clipboard redirection support to be enabled.

10) Use-after-free (CVE-ID: CVE-2026-25955)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface when processing crafted RDPGFX surface updates from a malicious server. A remote attacker can send crafted surface create, delete, and repaint sequences to cause a denial of service and potentially execute arbitrary code.

Exploitation requires a client connection to a malicious RDP server with RAIL and RDPGFX support, and the issue is triggered in the X11 client with SoftwareGdi enabled.

11) Use-after-free (CVE-ID: CVE-2026-25954)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_rail_server_local_move_size when processing RAIL ServerLocalMoveSize PDUs concurrently with window delete orders. A remote attacker can send a sequence of crafted RAIL messages to cause a denial of service and potentially execute arbitrary code.

The issue is triggered by a race condition between the RAIL channel thread and the main thread in the X11 client.

12) Use-after-free (CVE-ID: CVE-2026-25953)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface and xf_rail_paint_surface when processing concurrent RDPGFX frame updates and fastpath window-delete orders. A remote attacker can send crafted RDPGFX PDUs and window-delete orders to cause a denial of service and potentially execute arbitrary code.

Exploitation requires a malicious RDP server to win a race between the DVC thread handling EndFrame updates and the main thread deleting the mapped window.

13) Use-after-free (CVE-ID: CVE-2026-25952)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_SetWindowMinMaxInfo when processing RAIL ServerMinMaxInfo orders concurrently with window delete orders. A remote attacker can send crafted RAIL orders to cause a denial of service and potentially execute arbitrary code.

The issue is triggered on the client side by a malicious server due to a race between the RAIL channel thread and the main thread.

14) Out-of-bounds read (CVE-ID: CVE-2026-25942)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in xf_rail_server_execute_result when processing a server-supplied TS_RAIL_ORDER_EXEC_RESULT PDU. A remote attacker can send a specially crafted execResult value to cause a denial of service.

The issue is triggered when the server provides an execResult value of 7 or greater, which is used as an unchecked index into the global error_code_names array.

15) Out-of-bounds read (CVE-ID: CVE-2026-25941)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu in the RDPGFX channel when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual packet data. A remote attacker can send a specially crafted RDP server response to disclose sensitive information.

User interaction is required because the victim must connect to a malicious server.

16) Heap-based buffer overflow (CVE-ID: CVE-2026-23884)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in gdi_set_bounds. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

17) Heap-based buffer overflow (CVE-ID: CVE-2026-23883)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in update_pointer_new. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

18) Heap-based buffer overflow (CVE-ID: CVE-2026-23732)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Glyph_Alloc. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

19) Heap-based buffer overflow (CVE-ID: CVE-2026-23534)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in clear_decompress_bands_data. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

20) Heap-based buffer overflow (CVE-ID: CVE-2026-23533)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in clear_decompress_residual_data. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

21) Heap-based buffer overflow (CVE-ID: CVE-2026-23532)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in gdi_SurfaceToSurface. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

22) Heap-based buffer overflow (CVE-ID: CVE-2026-23531)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in clear_decompress. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

23) Heap-based buffer overflow (CVE-ID: CVE-2026-23530)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in planar_decompress_plane_rle. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

24) Out-of-bounds read (CVE-ID: CVE-2026-22859)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary condition within the urb_select_configuration() function. A remote attacker can trick the victim into connecting to a malicious server, trigger an out-of-bounds read error and crash the application.

25) Out-of-bounds read (CVE-ID: CVE-2026-22858)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary condition within the crypto_base64_decode() function. A remote attacker can trick the victim into connecting to a malicious server, trigger an out-of-bounds read error and crash the application.

26) Use-after-free (CVE-ID: CVE-2026-22857)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in irp_thread_func() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.

27) Use-after-free (CVE-ID: CVE-2026-22856)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in create_irp_thread() function. A remote attacker can trick the victim into connecting to a malicious server and execute arbitrary code on the system.

28) Heap-based buffer overflow (CVE-ID: CVE-2026-22855)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in smartcard_unpack_set_attrib_call() function. A remote attacker can trick the victim into connecting to a malicious server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

29) Heap-based buffer overflow (CVE-ID: CVE-2026-22854)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in drive_process_irp_read() function. A remote attacker can trick the victim into connecting to a malicious server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

30) Out-of-bounds write (CVE-ID: CVE-2026-22853)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the ndr_read_uint8Array() function. A remote attacker can trick the victim into connecting to a malicious server, trigger an out-of-bounds write and execute arbitrary code on the target system.

31) Out-of-bounds write (CVE-ID: CVE-2026-22852)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the audin_process_formats() function. A remote attacker can trick the victim into connecting to a malicious server, trigger an out-of-bounds write and execute arbitrary code on the target system.

32) Use-after-free (CVE-ID: CVE-2026-22851)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a use-after-free error in SDL client (sdl->primary) caused by a race in RDPGFX ResetGraphics. A remote attacker can trick the victim into connecting to a malicious server and crash the application.

Note, the vulnerability affects SDL client only. 

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-8105-1