Описание
Security update for freerdp
This update for freerdp fixes the following issues:
- CVE-2025-4478: Fixed initialization of function pointers after resource allocations (bsc#1243109)
- CVE-2026-22851: Fixed RDPGFX ResetGraphics race leading to use-after-free in SDL client (sdl->primary) (bsc#1256717)
- CVE-2026-22852: Fixed heap-buffer-overflow in audin_process_formats (bsc#1256718)
- CVE-2026-22853: Fixed heap-buffer-overflow in ndr_read_uint8Array (bsc#1256719)
- CVE-2026-22854: Fixed heap-buffer-overflow in drive_process_irp_read (bsc#1256720)
- CVE-2026-22855: Fixed heap-buffer-overflow in smartcard_unpack_set_attrib_call (bsc#1256721)
- CVE-2026-22856: Fixed heap-use-after-free in create_irp_thread (bsc#1256722)
- CVE-2026-22857: Fixed heap-use-after-free in irp_thread_func (bsc#1256723)
- CVE-2026-22858: Fixed global-buffer-overflow in crypto_base64_devoce (bsc#1256724)
- CVE-2026-22859: Fixed heap-buffer-overflow in urb_select_configuration (bsc#1256725)
- CVE-2026-23530: Fixed improper validation leading to heap buffer overflow
in
planar_decompress_plane_rle(bsc#1256940) - CVE-2026-23531: Fixed improper validation in
clear_decompressleading to heap buffer overflow (bsc#1256941) - CVE-2026-23532: Fixed mismatch between destination rectangle clamping and
the actual copy size leading to heap buffer overflow in
gdi_SurfaceToSurface(bsc#1256942) - CVE-2026-23533: Fixed improper validation leading to heap buffer overflow in
clear_decompress_residual_data(bsc#1256943) - CVE-2026-23534: Fixed missing checks leading to heap buffer overflow in
clear_deceompress_bands_data(bsc#1256944) - CVE-2026-23732: Fixed improper validation leading to heap buffer overflow in
Glyph_alloc(bsc#1256945) - CVE-2026-23883: Fixed use-after-free when
update_pointer_colorandfreerdp_image_copy_fromPointer_datafail (bsc#1256946) - CVE-2026-23884: Fixed use-after-free in
gdi_set_bounds(bsc#1256947)
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Linux Enterprise Workstation Extension 15 SP7
Ссылки
- Link for SUSE-SU-2026:0345-1
- E-Mail link for SUSE-SU-2026:0345-1
- SUSE Security Ratings
- SUSE Bug 1243109
- SUSE Bug 1256717
- SUSE Bug 1256718
- SUSE Bug 1256719
- SUSE Bug 1256720
- SUSE Bug 1256721
- SUSE Bug 1256722
- SUSE Bug 1256723
- SUSE Bug 1256724
- SUSE Bug 1256725
- SUSE Bug 1256940
- SUSE Bug 1256941
- SUSE Bug 1256942
- SUSE Bug 1256943
- SUSE Bug 1256944
- SUSE Bug 1256945
- SUSE Bug 1256946
Описание
A flaw was found in the FreeRDP used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault. This issue causes the service to crash and remain defunct, resulting in a denial of service. It occurs pre-boot and is likely due to a NULL pointer dereference. Rebooting is required to recover the system.
Затронутые продукты
Ссылки
- CVE-2025-4478
- SUSE Bug 1243109
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22851
- SUSE Bug 1256717
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22852
- SUSE Bug 1256718
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR's NDR array reader does not perform bounds checking on the on-wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22853
- SUSE Bug 1256719
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22854
- SUSE Bug 1256720
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22855
- SUSE Bug 1256721
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use-after-free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22856
- SUSE Bug 1256722
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22857
- SUSE Bug 1256723
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22858
- SUSE Bug 1256724
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out-of-bounds read. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22859
- SUSE Bug 1256725
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23530
- SUSE Bug 1256940
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23531
- SUSE Bug 1256941
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client's `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23532
- SUSE Bug 1256942
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23533
- SUSE Bug 1256943
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23534
- SUSE Bug 1256944
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client-side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23732
- SUSE Bug 1256945
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client-side use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23883
- SUSE Bug 1256946
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client-side use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23884
- SUSE Bug 1256947