Debian Freerdp2 vulnerabilities

CVE-2026-24679 [HIGH] CVE-2026-24679: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0. Scope: local bookworm: open bullseye: open

CVE-2026-23883 [HIGH] CVE-2026-23883: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depe

CVE-2026-23530 [HIGH] CVE-2026-23530: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution ris

CVE-2026-24491 [HIGH] CVE-2026-24491: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0. Scope: local bookworm: open bullseye: open

CVE-2026-33987 [HIGH] CVE-2026-33987: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been patched in version 3.24.2. Scope: local bookw

CVE-2026-25942 [MEDIUM] CVE-2026-25942: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Vers

CVE-2026-33983 [MEDIUM] CVE-2026-33983: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefined behavior and an approximately 80 billion iteration loop (CPU D

CVE-2026-23948 [MEDIUM] CVE-2026-23948: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0. Scope: local bookworm: open bullseye: ope

CVE-2026-25941 [MEDIUM] CVE-2026-25941: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the... FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength

CVE-2026-25954 [MEDIUM] CVE-2026-25954: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channe

CVE-2026-31883 [MEDIUM] CVE-2026-31883: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nB

CVE-2026-31884 [MEDIUM] CVE-2026-31884: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on

CVE-2026-23732 [MEDIUM] CVE-2026-23732: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue. Scope: local bookwor

CVE-2026-22851 [MEDIUM] CVE-2026-22851: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is

CVE-2026-22858 [MEDIUM] CVE-2026-22858: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASC

CVE-2026-26986 [MEDIUM] CVE-2026-26986: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer th

CVE-2026-25959 [MEDIUM] CVE-2026-25959: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cl

CVE-2026-27015 [MEDIUM] CVE-2026-27015: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` → `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSER

CVE-2026-22853 [MEDIUM] CVE-2026-22853: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. Scope: local bookworm: open bullseye: open

CVE-2026-25997 [MEDIUM] CVE-2026-25997: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a hea