Debian Freerdp3 vulnerabilities

CVE-2026-25952 [MEDIUM] CVE-2026-25952: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete ord

CVE-2026-22856 [MEDIUM] CVE-2026-22856: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1. Scope: local bookworm: open bullseye: open

CVE-2026-33952 [MEDIUM] CVE-2026-33952: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash with SIGABRT. This is a pre-authentication denial of service affecti

CVE-2026-29775 [MEDIUM] CVE-2026-29775: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one eleme

CVE-2026-31885 [MEDIUM] CVE-2026-31885: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0. Scope: local bookworm: open bullseye: open

CVE-2026-26271 [MEDIUM] CVE-2026-26271: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Ve

CVE-2026-25953 [MEDIUM] CVE-2026-25953: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Ve

CVE-2026-27951 [MEDIUM] CVE-2026-27951: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23

CVE-2026-22852 [MEDIUM] CVE-2026-22852: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, caus

CVE-2026-25955 [MEDIUM] CVE-2026-25955: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue. Scope: local

CVE-2026-22859 [MEDIUM] CVE-2026-22859: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. Scope: local bookworm: open bullseye: open

CVE-2026-33985 [MEDIUM] CVE-2026-33985: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2. Scope: local bookworm: open bullseye: open

CVE-2026-33995 [MEDIUM] CVE-2026-33995: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a double-free vulnerability in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() (WinPR, winpr/libwinpr/sspi/Kerberos/kerberos.c) can cause a crash in any FreeRDP clients on systems where Kerberos and/or Kerberos U2U is configured (Samba AD member, o

CVE-2026-22855 [MEDIUM] CVE-2026-22855: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. Scope: local bookworm: open bullseye: open

CVE-2026-29774 [MEDIUM] CVE-2026-29774: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/

CVE-2026-22854 [MEDIUM] CVE-2026-22854: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1. Scope: local bookworm:

CVE-2026-22857 [MEDIUM] CVE-2026-22857: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1. Scope: local bookworm: open bullseye: open

CVE-2026-33977 [MEDIUM] CVE-2026-33977: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASS

CVE-2026-27950 [HIGH] CVE-2026-27950: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the poi

CVE-2026-29776 [LOW] CVE-2026-29776: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0... FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0. Scope: local bookworm: open bullseye: open