SB20260427185 - SUSE update for freerdp
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-25941)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu in the RDPGFX channel when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual packet data. A remote attacker can send a specially crafted RDP server response to disclose sensitive information.
User interaction is required because the victim must connect to a malicious server.
2) Out-of-bounds read (CVE-ID: CVE-2026-25942)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in xf_rail_server_execute_result when processing a server-supplied TS_RAIL_ORDER_EXEC_RESULT PDU. A remote attacker can send a specially crafted execResult value to cause a denial of service.
The issue is triggered when the server provides an execResult value of 7 or greater, which is used as an unchecked index into the global error_code_names array.
3) Use-after-free (CVE-ID: CVE-2026-25952)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_SetWindowMinMaxInfo when processing RAIL ServerMinMaxInfo orders concurrently with window delete orders. A remote attacker can send crafted RAIL orders to cause a denial of service and potentially execute arbitrary code.
The issue is triggered on the client side by a malicious server due to a race between the RAIL channel thread and the main thread.
4) Use-after-free (CVE-ID: CVE-2026-25953)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_AppUpdateWindowFromSurface and xf_rail_paint_surface when processing concurrent RDPGFX frame updates and fastpath window-delete orders. A remote attacker can send crafted RDPGFX PDUs and window-delete orders to cause a denial of service and potentially execute arbitrary code.
Exploitation requires a malicious RDP server to win a race between the DVC thread handling EndFrame updates and the main thread deleting the mapped window.
5) Use-after-free (CVE-ID: CVE-2026-25954)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_rail_server_local_move_size when processing RAIL ServerLocalMoveSize PDUs concurrently with window delete orders. A remote attacker can send a sequence of crafted RAIL messages to cause a denial of service and potentially execute arbitrary code.
The issue is triggered by a race condition between the RAIL channel thread and the main thread in the X11 client.
6) Use-after-free (CVE-ID: CVE-2026-25997)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_clipboard_format_equal when processing clipboard format changes during auto-reconnect. A remote attacker can trigger a client reconnection sequence and concurrent clipboard activity to cause a denial of service and potentially execute arbitrary code.
The issue is client-side and occurs because the cliprdr channel thread frees lastSentFormats while the X11 event thread concurrently iterates it.
7) Use-after-free (CVE-ID: CVE-2026-26986)
The vulnerability allows a remote user to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in rail_window_free in the X11 RAIL window handling code when processing a server-supplied window create order and freeing RAIL window entries during disconnect. A remote user can send a specially crafted window order to cause a denial of service and potentially execute arbitrary code.
One server-triggered exploitation path requires the builtin Unicode backend to be enabled, where malformed UTF-16 window title data causes title conversion to fail and leaves a dangling hash table entry until disconnect.
8) Reachable assertion (CVE-ID: CVE-2026-27015)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to reachable assertion in smartcard_unpack_read_size_align() in libfreerdp/utils/smartcard_pack.c when parsing crafted smartcard IOCTL data from an RDP server. A remote attacker can send a specially crafted SCARD_IOCTL_TRANSMIT request to cause a denial of service.
Smartcard redirection must be enabled, and user interaction is required for the client to connect to a malicious RDP server.
9) Integer overflow (CVE-ID: CVE-2026-27951)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in Stream_EnsureCapacity when increasing stream allocation capacity. A remote attacker can trigger allocation growth that overflows SIZE_MAX to cause a denial of service.
Practical exploitation only works on 32-bit systems where the available physical memory is greater than or equal to SIZE_MAX.
10) Out-of-bounds write (CVE-ID: CVE-2026-29774)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds write in avc420_yuv_to_rgb in the AVC420/AVC444 YUV-to-RGB conversion path when processing a crafted WIRE_TO_SURFACE_PDU_1 containing out-of-range regionRects coordinates. A remote attacker can send a specially crafted malicious server response to cause a denial of service.
The issue is client-side and is triggered after the H.264 bitstream decodes successfully.
11) Out-of-bounds write (CVE-ID: CVE-2026-29775)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds write in bitmap_cache_put in the bitmap cache subsystem when processing a crafted CACHE_BITMAP_ORDER (Rev1) from a malicious server. A remote attacker can send a specially crafted CACHE_BITMAP_ORDER with cacheId equal to maxCells to cause a denial of service.
The issue is client-side and can also result in a 4-byte out-of-bounds read followed by heap corruption, with potential pointer overwrite depending on heap layout.
12) Integer underflow (CVE-ID: CVE-2026-29776)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer underflow in update_read_cache_bitmap_order() in libfreerdp/core/orders.c when processing a crafted bitmap cache order from the network. A remote attacker can send a specially crafted RDP update that causes excessive memory allocation and process termination to cause a denial of service.
User interaction is required, and exploitation occurs in the client while handling server-supplied RDP data.
13) Division by zero (CVE-ID: CVE-2026-31884)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in the MS-ADPCM and IMA-ADPCM decoders in libfreerdp/codec/dsp.c when processing RDPSND audio format negotiation with nBlockAlign set to 0. A remote attacker can send a specially crafted Server Audio Formats PDU followed by a Wave2 PDU to cause a denial of service.
User interaction is required.
14) Out-of-bounds read (CVE-ID: CVE-2026-31897)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in freerdp_bitmap_decompress_planar when processing a planar bitmap with SrcSize set to 0. A remote attacker can send a crafted RDPGFX Surface Command to disclose sensitive information.
User interaction is required, and the Bitmap Update PDU path is not affected because it validates the bitmap length before calling the decoder.
Remediation
Install update from vendor's website.