SB20260511120 - Red Hat Enterprise Linux 10 update for freerdp

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260511120

SB20260511120 - Red Hat Enterprise Linux 10 update for freerdp

Published: May 11, 2026

Security Bulletin ID SB20260511120
CSH Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 20% Medium 70% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2026-25997)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_clipboard_format_equal when processing clipboard format changes during auto-reconnect. A remote attacker can trigger a client reconnection sequence and concurrent clipboard activity to cause a denial of service and potentially execute arbitrary code.

The issue is client-side and occurs because the cliprdr channel thread frees lastSentFormats while the X11 event thread concurrently iterates it.


2) Use-after-free (CVE-ID: CVE-2026-25952)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in xf_SetWindowMinMaxInfo when processing RAIL ServerMinMaxInfo orders concurrently with window delete orders. A remote attacker can send crafted RAIL orders to cause a denial of service and potentially execute arbitrary code.

The issue is triggered on the client side by a malicious server due to a race between the RAIL channel thread and the main thread.


3) Use-after-free (CVE-ID: CVE-2026-26986)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to use-after-free in rail_window_free in the X11 RAIL window handling code when processing a server-supplied window create order and freeing RAIL window entries during disconnect. A remote user can send a specially crafted window order to cause a denial of service and potentially execute arbitrary code.

One server-triggered exploitation path requires the builtin Unicode backend to be enabled, where malformed UTF-16 window title data causes title conversion to fail and leaves a dangling hash table entry until disconnect.


4) Out-of-bounds write (CVE-ID: CVE-2026-29775)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in bitmap_cache_put in the bitmap cache subsystem when processing a crafted CACHE_BITMAP_ORDER (Rev1) from a malicious server. A remote attacker can send a specially crafted CACHE_BITMAP_ORDER with cacheId equal to maxCells to cause a denial of service.

The issue is client-side and can also result in a 4-byte out-of-bounds read followed by heap corruption, with potential pointer overwrite depending on heap layout.


5) Out-of-bounds read (CVE-ID: CVE-2026-31885)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in the MS-ADPCM and IMA-ADPCM decoders in dsp.c when processing crafted ADPCM audio data over the RDPSND channel. A remote attacker can send specially crafted audio data to disclose sensitive information.

User interaction is required.


6) Division by zero (CVE-ID: CVE-2026-31884)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to division by zero in the MS-ADPCM and IMA-ADPCM decoders in libfreerdp/codec/dsp.c when processing RDPSND audio format negotiation with nBlockAlign set to 0. A remote attacker can send a specially crafted Server Audio Formats PDU followed by a Wave2 PDU to cause a denial of service.

User interaction is required.


7) Heap-based buffer overflow (CVE-ID: CVE-2026-31883)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to overwrite heap memory.

The vulnerability exists due to a heap-based buffer overflow in the IMA-ADPCM and MS-ADPCM audio decoders in libfreerdp/codec/dsp.c when processing crafted RDPSND audio format and wave data. A remote attacker can send specially crafted RDPSND audio data to overwrite heap memory.

Audio data is processed automatically during an RDP session when RDPSND is negotiated.


8) Out-of-bounds read (CVE-ID: CVE-2026-33985)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in clear_decompress_glyph_data() in libfreerdp/codec/clear.c when processing a subsequent CLEARCODEC_FLAG_GLYPH_HIT call after a failed winpr_aligned_recalloc() operation. A remote attacker can send specially crafted ClearCodec glyph data to disclose sensitive information.

Pixel data from adjacent heap memory may be rendered to the screen. User interaction is required.


9) Out-of-bounds read (CVE-ID: CVE-2026-33982)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.

The vulnerability exists due to an out-of-bounds read in winpr_aligned_offset_recalloc() when processing a v3 persistent cache file with an entry larger than 64x64 pixels at 32bpp. A remote attacker can trick the victim into opening a crafted cache file to disclose sensitive information and cause a denial of service.

User interaction is required to process the crafted cache file.


10) Heap-based buffer overflow (CVE-ID: CVE-2026-33987)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service or modify data.

The vulnerability exists due to a heap-based buffer overflow in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c when processing a crafted .bmc persistent cache file. A remote attacker can provide a specially crafted cache file to cause a denial of service or modify data.

User interaction is required to open or process the crafted persistent cache file.


Remediation

Install update from vendor's website.

References