SB2026051220 - Multiple vulnerabilities in FreeRDP

Description

This security bulletin contains information about 5 vulnerabilities.

1) Use-after-free (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause client-side memory corruption.

The vulnerability exists due to use-after-free in the RDPEAR NDR parser when processing crafted RDPEAR NDR data from an RDP server. A remote attacker can reuse a non-null NDR pointer ref-id across multiple logical pointer fields to cause client-side memory corruption.

User interaction is required because the client must connect to a malicious or compromised RDP server, and exploitation is reachable when RDPEAR or Remote Credential Guard is in use.

2) Type Confusion (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause an out-of-bounds read.

The vulnerability exists due to type confusion in the RDPEAR NDR parser when processing crafted RDPEAR NDR data from an RDP server. A remote attacker can reuse a non-null NDR pointer ref-id across fields with incompatible expected NDR types to cause an out-of-bounds read.

User interaction is required because the client must connect to a malicious or compromised RDP server, and exploitation is reachable when RDPEAR or Remote Credential Guard is in use.

3) Out-of-bounds write (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to out-of-bounds write in freerdp_bitmap_decompress_planar() and planar_decompress_plane_rle() in the planar bitmap decoder when decoding RLE planar data with a large destination stride and X destination coordinate that trigger the temp-buffer code path. A remote attacker can send specially crafted planar bitmap data to cause a denial of service and potentially execute arbitrary code.

No FreeRDP server or client is affected; the issue affects third-party implementations that use their own decoding system and utilize the FreeRDP planar decoder.

4) Heap-based buffer overflow (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in gdi_CacheToSurface when processing crafted RDPGFX PDUs from a server. A remote attacker can send crafted RDPGFX CacheToSurface messages to execute arbitrary code.

RDPGFX must be enabled, and user interaction is required to connect the client to an attacker-controlled RDP server.

5) Heap-based buffer overflow (CVE-ID: CVE-2026-44420)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in the server-side clipboard (cliprdr) channel capability parsing routine when processing a CB_CLIP_CAPS PDU with an undersized capabilitySetLength value. A remote user can send a specially crafted CB_CLIP_CAPS PDU to execute arbitrary code.

Affected systems must have the cliprdr server channel enabled.

Remediation

Install update from vendor's website.

References

• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v
• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh
• https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc
• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff
• https://github.com/FreeRDP/FreeRDP/commit/23b36cd00ebf0ccd97750fcdbc9aa2f362352da7
• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvpx-xj7r-3p3r