Описание
Security update for freerdp2
This update for freerdp2 fixes the following issues:
- CVE-2026-22852: a malicious RDP server can trigger a heap-buffer-overflow in audin_process_formats (bsc#1256718).
- CVE-2026-22854: server-controlled read length is used to read file data into an IRP output can cause heap-buffer-overflow in drive_process_irp_read (bsc#1256720).
- CVE-2026-22856: race condition in the serial channel IRP thread tracking can cause heap-use-after-free in create_irp_thread(bsc#1256722).
- CVE-2026-22859: improper bound check can lead to heap-buffer-overflow in urb_select_configuration (bsc#1256725).
- CVE-2026-23530: improper validation can lead to heap buffer overflow in
planar_decompress_plane_rle(bsc#1256940). - CVE-2026-23531: improper validation in
clear_decompresscan lead to heap buffer overflow (bsc#1256941). - CVE-2026-23532: mismatch between destination rectangle clamping and the actual copy size can lead to a heap buffer
overflow in
gdi_SurfaceToSurface(bsc#1256942). - CVE-2026-23534: missing checks can lead to heap buffer overflow in
clear_decompress_bands_data(bsc#1256944).
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Linux Enterprise Workstation Extension 15 SP7
Ссылки
- Link for SUSE-SU-2026:0449-1
- E-Mail link for SUSE-SU-2026:0449-1
- SUSE Security Ratings
- SUSE Bug 1256718
- SUSE Bug 1256720
- SUSE Bug 1256722
- SUSE Bug 1256725
- SUSE Bug 1256940
- SUSE Bug 1256941
- SUSE Bug 1256942
- SUSE Bug 1256944
- SUSE CVE CVE-2026-22852 page
- SUSE CVE CVE-2026-22854 page
- SUSE CVE CVE-2026-22856 page
- SUSE CVE CVE-2026-22859 page
- SUSE CVE CVE-2026-23530 page
- SUSE CVE CVE-2026-23531 page
- SUSE CVE CVE-2026-23532 page
- SUSE CVE CVE-2026-23534 page
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22852
- SUSE Bug 1256718
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22854
- SUSE Bug 1256720
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use-after-free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22856
- SUSE Bug 1256722
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out-of-bounds read. This vulnerability is fixed in 3.20.1.
Затронутые продукты
Ссылки
- CVE-2026-22859
- SUSE Bug 1256725
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23530
- SUSE Bug 1256940
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23531
- SUSE Bug 1256941
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client's `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23532
- SUSE Bug 1256942
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-23534
- SUSE Bug 1256944