Описание
Security update for freerdp2
This update for freerdp2 fixes the following issues:
- CVE-2026-26271: Buffer Overread in FreeRDP Icon Processing (bsc#1258979).
- CVE-2026-26955: Out-of-bounds Write in freerdp (bsc#1258982).
- CVE-2026-26965: Out-of-bounds Write in freerdp (bsc#1258985).
- CVE-2026-31806: improper validation of server messages can lead to a heap buffer overflow and arbitrary code execution (bsc#1259653).
- CVE-2026-31883: crafted RDPSND audio format and wave data can cause a heap buffer overflow write (bsc#1259679).
- CVE-2026-31885: unchecked predictor can lead to an out-of-bounds read (bsc#1259686).
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Linux Enterprise Workstation Extension 15 SP7
Ссылки
- Link for SUSE-SU-2026:1164-1
- E-Mail link for SUSE-SU-2026:1164-1
- SUSE Security Ratings
- SUSE Bug 1258979
- SUSE Bug 1258982
- SUSE Bug 1258985
- SUSE Bug 1259653
- SUSE Bug 1259679
- SUSE Bug 1259686
- SUSE CVE CVE-2026-26271 page
- SUSE CVE CVE-2026-26955 page
- SUSE CVE CVE-2026-26965 page
- SUSE CVE CVE-2026-31806 page
- SUSE CVE CVE-2026-31883 page
- SUSE CVE CVE-2026-31885 page
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.
Затронутые продукты
Ссылки
- CVE-2026-26271
- SUSE Bug 1258979
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command - full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
Затронутые продукты
Ссылки
- CVE-2026-26955
- SUSE Bug 1258982
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128x128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data - control-flow-relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
Затронутые продукты
Ссылки
- CVE-2026-26965
- SUSE Bug 1258985
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
Затронутые продукты
Ссылки
- CVE-2026-31806
- SUSE Bug 1259653
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
Затронутые продукты
Ссылки
- CVE-2026-31883
- SUSE Bug 1259679
Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
Затронутые продукты
Ссылки
- CVE-2026-31885
- SUSE Bug 1259686