SB2026061530 - Multiple vulnerabilities in FreeRDP
Published: June 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Integer overflow (CVE-ID: N/A)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause an out-of-bounds read.
The vulnerability exists due to integer overflow in freerdp_image_copy_from_icon_data() when processing a crafted RAIL icon update PDU. A remote attacker can send a specially crafted icon update with attacker-controlled dimensions and pixel data to cause an out-of-bounds read.
Only FreeRDP-based clients running in RAIL/Remote App mode are affected; desktop mode sessions are not affected.
2) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service.
The vulnerability exists due to heap-based buffer overflow in rpc_client_recv_fragment() in the TS Gateway RPC response reassembly logic when processing a crafted PTYPE_RESPONSE PDU on the RPC OUT channel after gateway negotiation. A remote attacker can send a specially crafted gateway response with a small alloc_hint and oversized stub data to execute arbitrary code or cause a denial of service.
Only FreeRDP clients using TS Gateway / RD Gateway transport are affected; direct RDP connections without the gateway RPC layer are not affected. In default builds the issue may abort via an assertion, while release builds without assertion enforcement may permit exploitation.
3) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in the TS Gateway RPC fragment receive logic when processing RESPONSE fragments from a TS Gateway after RPC bind negotiation. A remote attacker can send a crafted bind_ack and subsequent oversized RESPONSE fragments to execute arbitrary code.
The issue affects FreeRDP clients using TS Gateway / RD Gateway transport, and can also be triggered by an active machine-in-the-middle on gateway traffic. Direct RDP connections that do not use the gateway RPC layer are not affected.
4) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.
The vulnerability exists due to out-of-bounds read in the FreeRDP client H.264 YUV-to-RGB conversion path when processing AVC420 or AVC444 GFX frames from a malicious RDP server with decoder and surface dimension mismatch. A remote attacker can send specially crafted RDP graphics data to disclose sensitive information or cause a denial of service.
Only client-side deployments using libfreerdp GFX H.264 decompression are affected, and exploitation requires RDPGFX with AVC420 or AVC444 negotiated and an H.264 decoder backend enabled.
5) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow caused by integer overflow in avc444_ensure_buffer in libfreerdp/codec/h264.c when decoding AVC444 GFX frames from a malicious RDP server. A remote attacker can send crafted surface dimensions and H.264 bitstream content to execute arbitrary code.
Exploitation requires a FreeRDP client build using libfreerdp AVC444 decompression with RDPGFX AVC444 negotiated and an H.264 decoder backend enabled.
6) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.
The vulnerability exists due to an out-of-bounds read in glyph_cache_get() in the glyph cache when processing crafted glyph fragments from a malicious RDP server. A remote attacker can send crafted glyph orders that cause an out-of-bounds heap read to disclose sensitive information and cause a denial of service.
User interaction is required because the victim must connect to the attacker's RDP server.
Remediation
Install update from vendor's website.
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5c5v-f78v-h2f6
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9gxm-3mf5-f5cx
- https://github.com/FreeRDP/FreeRDP/commit/10a002d1d6ae904a6ffd6debf1630f1278908d99
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rp4-66mc-j9vx
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mmf-qh4f-frm6
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vx73-w5q6-7jqr
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6xmj-pr98-cx4c