SB20260511122 - Red Hat Enterprise Linux 8 update for freerdp
Published: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-25952)
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in xf_SetWindowMinMaxInfo when processing RAIL ServerMinMaxInfo orders concurrently with window delete orders. A remote attacker can send crafted RAIL orders to cause a denial of service and potentially execute arbitrary code.
The issue is triggered on the client side by a malicious server due to a race between the RAIL channel thread and the main thread.
2) Use-after-free (CVE-ID: CVE-2026-26986)
The vulnerability allows a remote user to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in rail_window_free in the X11 RAIL window handling code when processing a server-supplied window create order and freeing RAIL window entries during disconnect. A remote user can send a specially crafted window order to cause a denial of service and potentially execute arbitrary code.
One server-triggered exploitation path requires the builtin Unicode backend to be enabled, where malformed UTF-16 window title data causes title conversion to fail and leaves a dangling hash table entry until disconnect.
3) Integer overflow (CVE-ID: CVE-2026-27951)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in Stream_EnsureCapacity when increasing stream allocation capacity. A remote attacker can trigger allocation growth that overflows SIZE_MAX to cause a denial of service.
Practical exploitation only works on 32-bit systems where the available physical memory is greater than or equal to SIZE_MAX.
4) Out-of-bounds write (CVE-ID: CVE-2026-29775)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds write in bitmap_cache_put in the bitmap cache subsystem when processing a crafted CACHE_BITMAP_ORDER (Rev1) from a malicious server. A remote attacker can send a specially crafted CACHE_BITMAP_ORDER with cacheId equal to maxCells to cause a denial of service.
The issue is client-side and can also result in a 4-byte out-of-bounds read followed by heap corruption, with potential pointer overwrite depending on heap layout.
5) Out-of-bounds read (CVE-ID: CVE-2026-31885)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the MS-ADPCM and IMA-ADPCM decoders in dsp.c when processing crafted ADPCM audio data over the RDPSND channel. A remote attacker can send specially crafted audio data to disclose sensitive information.
User interaction is required.
6) Division by zero (CVE-ID: CVE-2026-31884)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to division by zero in the MS-ADPCM and IMA-ADPCM decoders in libfreerdp/codec/dsp.c when processing RDPSND audio format negotiation with nBlockAlign set to 0. A remote attacker can send a specially crafted Server Audio Formats PDU followed by a Wave2 PDU to cause a denial of service.
User interaction is required.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-31883)
The vulnerability allows a remote attacker to overwrite heap memory.
The vulnerability exists due to a heap-based buffer overflow in the IMA-ADPCM and MS-ADPCM audio decoders in libfreerdp/codec/dsp.c when processing crafted RDPSND audio format and wave data. A remote attacker can send specially crafted RDPSND audio data to overwrite heap memory.
Audio data is processed automatically during an RDP session when RDPSND is negotiated.
8) Out-of-bounds read (CVE-ID: CVE-2026-33985)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in clear_decompress_glyph_data() in libfreerdp/codec/clear.c when processing a subsequent CLEARCODEC_FLAG_GLYPH_HIT call after a failed winpr_aligned_recalloc() operation. A remote attacker can send specially crafted ClearCodec glyph data to disclose sensitive information.
Pixel data from adjacent heap memory may be rendered to the screen. User interaction is required.
Remediation
Install update from vendor's website.