SB2026070651 - Multiple vulnerabilities in FreeRDP



SB2026070651 - Multiple vulnerabilities in FreeRDP

Published: July 6, 2026

Security Bulletin ID SB2026070651
CSH Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 13% Medium 63% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: N/A)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in crypto_rsa_common() when decrypting a client-supplied encrypted client random during server key establishment. A remote attacker can send a specially crafted ciphertext to cause a denial of service and potentially execute arbitrary code.

The issue is reachable pre-authentication on server-side deployments that permit RDP Standard Security, and user interaction is not required.


2) Double free (CVE-ID: N/A)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to double free in rdpsnd_server_recv_formats() and rdpsnd_server_context_free() when processing a malformed Client Audio Formats PDU on the rdpsnd server channel. A remote user can send a specially crafted PDU to cause a denial of service.

The issue occurs after successful RDP authentication and requires the server build to include the rdpsnd server channel. The malformed PDU leaves a dangling client_formats pointer that is freed again during session teardown.


3) Double free (CVE-ID: N/A)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause memory corruption.

The vulnerability exists due to double free in freerdp_client_rdp_file_apply_to_settings() when parsing a crafted selectedmonitors field in a .rdp file. A remote attacker can trick the victim into opening a crafted .rdp file to cause memory corruption.

User interaction is required to open the crafted connection file, and the issue is reachable in the default configuration of the FreeRDP CLI clients.


4) Heap-based buffer overflow (CVE-ID: N/A)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in freerdp_dsp_decode_opus in libfreerdp/codec/dsp.c when decoding a server-supplied Opus wave PDU on the rdpsnd audio channel. A remote attacker can send a specially crafted Opus audio packet to execute arbitrary code.

Only clients built with WITH_OPUS enabled and without the FFmpeg DSP backend are vulnerable. User interaction is limited to connecting to the server with audio redirection active.


5) Division by zero (CVE-ID: N/A)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to divide by zero in rdpsnd_server_select_format when processing client-supplied audio format parameters. A remote user can advertise a specially crafted audio format to cause a denial of service.

The issue affects the server-side rdpsnd virtual channel and can result in a SIGFPE.


6) Out-of-bounds read (CVE-ID: CVE-2026-57158)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in planar_decompress_plane_rle_only when processing a truncated RLE planar payload in RDPGFX_CMDID_WIRETOSURFACE_1. A remote attacker can send a specially crafted WireToSurface packet with codecId=PLANAR and a payload truncated by 1 byte to cause a denial of service.

No user interaction beyond connecting to the server is required.


7) Out-of-bounds read (CVE-ID: CVE-2026-57157)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the RDCamera_Device_Enumerator dynamic virtual channel handlers when parsing attacker-supplied DeviceName or VirtualChannelName fields without a NUL terminator. A remote attacker can send a specially crafted channel notification to cause a denial of service.

Direct information disclosure is limited because the out-of-bounds value is only used in a comparison, and the past-allocation read requires a message that exactly fills the 4096-byte receive buffer.


8) Heap-based buffer overflow (CVE-ID: CVE-2026-57156)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to integer overflow leading to heap-based buffer overflow in libfreerdp/core/orders.c when parsing Orders Delta Points data from a malicious RDP peer. A remote attacker can send a specially crafted value to trigger heap memory corruption to cause a denial of service or execute arbitrary code.

Only 32-bit builds are vulnerable.


Remediation

Install update from vendor's website.