SB2026040899 - Multiple vulnerabilities in FreeRDP
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-27950)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in update_pointer_new(SDL) when handling crafted pointer updates in the SDL2 implementation. A remote attacker can trigger the vulnerable pointer handling flow to cause a denial of service.
Only environments using the SDL2 code path are affected.
2) Integer overflow (CVE-ID: CVE-2026-27951)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in Stream_EnsureCapacity when increasing stream allocation capacity. A remote attacker can trigger allocation growth that overflows SIZE_MAX to cause a denial of service.
Practical exploitation only works on 32-bit systems where the available physical memory is greater than or equal to SIZE_MAX.
3) Out-of-bounds write (CVE-ID: CVE-2026-26965)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in planar_decompress_plane_rle() in the PLANAR RLE decode path when processing a crafted RDP planar bitmap in the temp-buffer path. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.
User interaction is required because the victim must connect to a malicious RDP server.
4) Out-of-bounds write (CVE-ID: CVE-2026-26955)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to out-of-bounds write in gdi_SurfaceCommand_ClearCodec() when processing an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. A remote attacker can send a specially crafted RDP server response to execute arbitrary code.
User interaction is required because the victim must connect to a malicious RDP server.
5) Reachable assertion (CVE-ID: CVE-2026-27015)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to reachable assertion in smartcard_unpack_read_size_align() in libfreerdp/utils/smartcard_pack.c when parsing crafted smartcard IOCTL data from an RDP server. A remote attacker can send a specially crafted SCARD_IOCTL_TRANSMIT request to cause a denial of service.
Smartcard redirection must be enabled, and user interaction is required for the client to connect to a malicious RDP server.
6) Buffer Over-read (CVE-ID: CVE-2026-26271)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to buffer over-read in freerdp_image_copy_from_icon_data() when processing crafted RDP window icon data. A remote attacker can send specially crafted icon data to disclose sensitive information.
The issue is reachable over the network when a client processes icon data from an RDP server or a man-in-the-middle position.
7) Use-after-free (CVE-ID: CVE-2026-25955)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface when processing crafted RDPGFX surface updates from a malicious server. A remote attacker can send crafted surface create, delete, and repaint sequences to cause a denial of service and potentially execute arbitrary code.
Exploitation requires a client connection to a malicious RDP server with RAIL and RDPGFX support, and the issue is triggered in the X11 client with SoftwareGdi enabled.
8) Use-after-free (CVE-ID: CVE-2026-25953)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface and xf_rail_paint_surface when processing concurrent RDPGFX frame updates and fastpath window-delete orders. A remote attacker can send crafted RDPGFX PDUs and window-delete orders to cause a denial of service and potentially execute arbitrary code.
Exploitation requires a malicious RDP server to win a race between the DVC thread handling EndFrame updates and the main thread deleting the mapped window.
9) Use-after-free (CVE-ID: CVE-2026-25952)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_SetWindowMinMaxInfo when processing RAIL ServerMinMaxInfo orders concurrently with window delete orders. A remote attacker can send crafted RAIL orders to cause a denial of service and potentially execute arbitrary code.
The issue is triggered on the client side by a malicious server due to a race between the RAIL channel thread and the main thread.
10) Use-after-free (CVE-ID: CVE-2026-25954)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_rail_server_local_move_size when processing RAIL ServerLocalMoveSize PDUs concurrently with window delete orders. A remote attacker can send a sequence of crafted RAIL messages to cause a denial of service and potentially execute arbitrary code.
The issue is triggered by a race condition between the RAIL channel thread and the main thread in the X11 client.
11) Use-after-free (CVE-ID: CVE-2026-26986)
The vulnerability allows a remote user to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in rail_window_free in the X11 RAIL window handling code when processing a server-supplied window create order and freeing RAIL window entries during disconnect. A remote user can send a specially crafted window order to cause a denial of service and potentially execute arbitrary code.
One server-triggered exploitation path requires the builtin Unicode backend to be enabled, where malformed UTF-16 window title data causes title conversion to fail and leaves a dangling hash table entry until disconnect.
12) Out-of-bounds read (CVE-ID: CVE-2026-25942)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in xf_rail_server_execute_result when processing a server-supplied TS_RAIL_ORDER_EXEC_RESULT PDU. A remote attacker can send a specially crafted execResult value to cause a denial of service.
The issue is triggered when the server provides an execResult value of 7 or greater, which is used as an unchecked index into the global error_code_names array.
13) Use-after-free (CVE-ID: CVE-2026-25959)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_cliprdr_provide_data_ when processing clipboard format data responses concurrently with cached clipboard data clearing. A remote attacker can send a malicious clipboard data response from a server to cause a denial of service and potentially execute arbitrary code.
The issue is client-side and requires clipboard redirection support to be enabled.
14) Use-after-free (CVE-ID: CVE-2026-25997)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_clipboard_format_equal when processing clipboard format changes during auto-reconnect. A remote attacker can trigger a client reconnection sequence and concurrent clipboard activity to cause a denial of service and potentially execute arbitrary code.
The issue is client-side and occurs because the cliprdr channel thread frees lastSentFormats while the X11 event thread concurrently iterates it.
15) Out-of-bounds read (CVE-ID: CVE-2026-25941)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu in the RDPGFX channel when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual packet data. A remote attacker can send a specially crafted RDP server response to disclose sensitive information.
User interaction is required because the victim must connect to a malicious server.
Remediation
Install update from vendor's website.
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcfc-ghxr-h927
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj
- https://github.com/advisories/GHSA-mr6w-ch7c-mqqj
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hr4m-ph4g-48j6
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6rq-rxpc-rh3p
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqm-cwjg-7w9x
- https://github.com/advisories/GHSA-cgqm-cwjg-7w9x
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cc88-4j37-mw6j
- https://github.com/advisories/GHSA-cc88-4j37-mw6j
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-crqx-g6x5-rx47
- https://github.com/advisories/GHSA-crqx-g6x5-rx47
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6
- https://github.com/advisories/GHSA-78q6-67m7-wwf6
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78xg-v4p2-4w3c
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5j3-m6jf-3jq4
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8
- https://github.com/advisories/GHSA-3546-x645-5cf8