SB2026071605 - Multiple vulnerabilities in FreeRDP
Published: July 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 26 vulnerabilities.
1) Uncontrolled Memory Allocation (CVE-ID: N/A)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in rdpei_server_handle_messages() when processing a peer-controlled RDPEI PDU length field. A remote user can send a specially crafted RDPEI header with a large declared body length to cause a denial of service.
The issue affects FreeRDP server, proxy, or shadow deployments where the RDPEI channel is reachable.
2) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the RDP6 planar bitmap RLE decoder functions planar_decompress_plane_rle() and planar_decompress_plane_rle_only() when parsing a truncated planar-encoded bitmap or surface update from an RDP server. A remote attacker can send a specially crafted planar-encoded update to cause a denial of service and disclose sensitive information.
User interaction is required because a client must connect to a malicious or compromised RDP server, and the issue is reachable through both the classic bitmap update PDU path and the RDPGFX surface command path.
3) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in the FreeRDP Windows client clipboard virtual channel handling in wfreerdp when processing CLIPRDR_FILE_CONTENTS_RESPONSE PDUs from a server. A remote user can send a specially crafted clipboard file contents response to execute arbitrary code.
User interaction is required to connect to a malicious RDP server and perform a paste operation in Windows Explorer, and clipboard redirection must be enabled.
4) NULL pointer dereference (CVE-ID: N/A)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smartcard request cleanup helpers free_reader_states_a/w in FreeRDP smartcard Device Control request handling when processing a malformed smartcard Device Control request that fails during rgReaderStates decoding after a remote-controlled cReaders value is set. A remote attacker can send a specially crafted smartcard Device Control request to cause a denial of service.
The issue is triggered during cleanup of a partially decoded smartcard operation when rgReaderStates remains NULL and cReaders is greater than zero. Smartcard redirection or smartcard proxy handling must be enabled in the affected path.
5) Reachable assertion (CVE-ID: N/A)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to reachable assertion in serial_process_irp_device_control() in FreeRDP serial redirection handling when processing a server-supplied IRP_MJ_DEVICE_CONTROL request. A remote attacker can send a specially crafted request to cause a denial of service.
Serial port redirection must be enabled, and user interaction is required to connect the client to a malicious or compromised RDP server.
6) Division by zero (CVE-ID: N/A)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to divide by zero in ecam_encoder_context_init() when processing a StartStreamsRequest PDU containing a server-controlled frame-rate denominator. A remote attacker can send a specially crafted StartStreamsRequest PDU to cause a denial of service.
User interaction is required because the victim must connect to a malicious or compromised RDP server with camera redirection enabled.
7) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the async update message proxy for PolygonCB orders when processing crafted primary drawing orders from a malicious RDP server with AsyncUpdate enabled. A remote attacker can send a specially crafted PolygonCB update order to cause a denial of service or disclose sensitive information.
The issue affects the client side and requires AsyncUpdate to be enabled.
8) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the async update message proxy for PolygonSC orders when processing crafted primary drawing orders from a malicious RDP server with AsyncUpdate enabled. A remote attacker can send a specially crafted PolygonSC update order to cause a denial of service or disclose sensitive information.
The issue affects the client side and requires AsyncUpdate to be enabled.
9) Use-after-free (CVE-ID: N/A)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or disclose sensitive information.
The vulnerability exists due to use-after-free in the async update message proxy for RAIL NOTIFY_ICON_STATE_ORDER handling when processing crafted update orders from an RDP server with AsyncUpdate enabled. A remote attacker can send crafted update orders to cause a denial of service or disclose sensitive information.
Only clients with AsyncUpdate enabled are vulnerable.
10) Use-after-free (CVE-ID: N/A)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or disclose sensitive information.
The vulnerability exists due to use-after-free in the async update message proxy for RAIL WINDOW_STATE_ORDER handling when processing crafted update orders from an RDP server with AsyncUpdate enabled. A remote attacker can send crafted update orders to cause a denial of service or disclose sensitive information.
Only clients with AsyncUpdate enabled are vulnerable.
11) Use-after-free (CVE-ID: N/A)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the async update message proxy for WINDOW_ICON_ORDER when processing crafted RAIL Window Alternate Secondary Orders with WINDOW_ORDER_ICON. A remote attacker can send a specially crafted RDP update order to cause a denial of service.
Exploitation requires AsyncUpdate to be enabled on the client.
12) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in rail_server_handle_messages() in the server-side RAIL channel handling code when processing a crafted RAIL PDU header with an orderLength smaller than the fixed header length. A remote user can send a specially crafted RDP client message to cause a denial of service.
The issue is triggered when a malicious or compromised RDP client can reach the server-side RAIL channel.
13) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper limitation of a pathname to a restricted directory in http_response_recv_body() when processing chunked HTTP response bodies from an RD Gateway or gateway HTTP endpoint. A remote attacker can send an oversized chunked HTTP response to cause a denial of service.
The issue affects the client-side chunked transfer path, where oversized response bodies are accepted and stored without applying the intended response size limit.
14) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to an out-of-bounds heap read in the UVC H.264 extension-unit parser in the rdpecam V4L client path when processing a crafted USB video-control interface extra descriptor during camera stream setup. An attacker with physical access can provide a malicious USB camera with a short extension-unit descriptor to cause a denial of service.
User interaction is required to use the redirected camera, and the issue is triggered when a V4L camera stream is created.
15) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to access, modify, delete, or enumerate files outside the configured shared root.
The vulnerability exists due to path traversal in drive redirection path handling in drive_file_combine_fullpath() when processing a server-supplied non-rooted RDPDR path. A remote attacker can send a specially crafted RDPDR path to access, modify, delete, or enumerate files outside the configured shared root.
Drive redirection must be enabled, and user interaction is required because the client must connect to a malicious or compromised RDP server and share a local drive or path. The demonstrated scope is limited to prefix-sibling paths that share the configured root as a string prefix rather than arbitrary whole-filesystem access.
16) Reachable assertion (CVE-ID: N/A)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an assertion failure caused by improper handling of zero-length ping control frames in the gateway WebSocket transport when processing server-sent ping control frames. A remote attacker can send a zero-length ping frame to cause a denial of service.
A valid zero-length Ping reaches an assertion in websocket_context_write_wstream() and terminates the client.
17) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an over-read caused by improper stream length handling in the gateway WebSocket transport when processing server-sent ping control frames. A remote attacker can send a specially crafted ping frame to disclose sensitive information.
The client sends a Pong whose payload may include bytes beyond the received Ping payload, and the peer can recover the masked payload because it receives the WebSocket masking key.
18) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in update_process_glyph_fragments() and glyph_cache_fragment_put() when processing GLYPH_FRAGMENT_ADD data from an RDP server. A remote attacker can send a short GLYPH_FRAGMENT_ADD payload with a larger declared fragment size to cause a denial of service.
The demonstrated impact is a client-side crash, and no attacker-controlled write primitive, remote code execution, or direct information disclosure beyond the out-of-bounds read was confirmed.
19) Out-of-bounds read (CVE-ID: N/A)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the TSMF FFmpeg decoder path when parsing AVC1 MPEG2VIDEOINFO media types with short ExtraData. A remote attacker can send specially crafted server-controlled media format data to cause a denial of service.
Only deployments with the deprecated and optional TSMF feature and the FFmpeg decoder path available are vulnerable.
20) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to inject headers into HTTP proxy CONNECT requests.
The vulnerability exists due to improper input validation in http_proxy_connect() when processing a server-controlled redirected TargetNetAddress through an HTTP proxy connection. A remote attacker can send a crafted redirection PDU containing CRLF or other control characters to inject headers into HTTP proxy CONNECT requests.
Exploitation requires the client to use an HTTP proxy and to connect to a malicious or compromised RDP server that can send a redirection PDU.
21) Improper Certificate Validation (CVE-ID: N/A)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass TLS server certificate purpose validation.
The vulnerability exists due to improper certificate validation in tls_verify_certificate(), freerdp_certificate_verify(), and x509_utils_verify() when verifying the server certificate during the client-side TLS handshake. A remote attacker can present a trusted certificate that matches the target hostname but is valid only for client authentication to bypass TLS server certificate purpose validation.
Exploitation requires that the FreeRDP client trust the issuing certificate authority or chain and that the certificate hostname match the target.
22) Improper validation of certificate with host mismatch (CVE-ID: N/A)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass tls server hostname validation.
The vulnerability exists due to improper certificate hostname validation in tls_match_hostname() when verifying wildcard tls certificates for multi-label hostnames. A remote attacker can present a crafted wildcard certificate to bypass tls server hostname validation.
This issue affects cases where a certificate for a single-label wildcard domain is incorrectly accepted for a hostname with multiple labels.
23) NULL pointer dereference (CVE-ID: N/A)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a null pointer dereference in smartcard emulation cache handling when processing peer-controlled SCARD_IOCTL_READCACHEA or SCARD_IOCTL_WRITECACHEA requests with a null lookup-name pointer. A remote attacker can send a specially crafted smartcard cache request to cause a denial of service.
Smartcard redirection or smartcard emulation must be enabled, and the request must include a valid CardIdentifier.
24) Improper Certificate Validation (CVE-ID: N/A)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass TLS server identity validation.
The vulnerability exists due to improper certificate validation in tls_verify_certificate() and tls_match_hostname() when verifying IP-literal connection targets against DNS subject alternative name or Common Name values instead of iPAddress subject alternative name entries. A remote attacker can present a specially crafted certificate to bypass TLS server identity validation.
Exploitation requires a certificate chain trusted by the FreeRDP client.
25) Improper Certificate Validation (CVE-ID: N/A)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass TLS server identity validation.
The vulnerability exists due to improper certificate validation in tls_verify_certificate() when verifying certificates where the Common Name matches but DNS subject alternative name entries are present and non-matching. A remote attacker can present a specially crafted certificate to bypass TLS server identity validation.
Exploitation requires a certificate chain trusted by the FreeRDP client.
26) Improper Certificate Validation (CVE-ID: N/A)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass TLS server identity validation.
The vulnerability exists due to improper certificate validation in x509_utils_get_dns_names() when parsing DNS subject alternative name values containing embedded NUL bytes. A remote attacker can present a specially crafted certificate to bypass TLS server identity validation.
Exploitation requires a certificate chain trusted by the FreeRDP client.
Remediation
Install update from vendor's website.
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jm8r-22j6-4m4v
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qrxx-7g3c-j6w3
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cj9v-h4hq-29jr
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78jj-45vh-jpm5
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pfxq-3qmw-8vjx
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-v89x-pc32-hqr7
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vxp3-7g6q-rq2w
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-33gg-h66j-3697
- https://github.com/FreeRDP/FreeRDP/commit/5370fb26fbf034ecd11d3026b6ad639b5fff493f
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-34hq-hwjw-q8v3
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmvw-52ph-q5pv
- https://github.com/FreeRDP/FreeRDP/commit/46848765f2a1134f8652f8760eefb5e85d64a9b8
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-2c6r-4pr4-9x8m
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jj2-67pg-j6mg
- https://github.com/FreeRDP/FreeRDP
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8xqm-wp3f-rfp9
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8v6m-2cmc-chx9
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hgj8-g595-wfc6
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whq8-c3v3-p8v8
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mwwh-mhp9-q7vm
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-89c6-jjrw-96h4
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5wr6-8m8j-3h7f
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ph3q-f9w8-7jf3
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-43hh-p3vw-hfx3