Patches mostly backported with the basis of the work of Ubuntu Security
team. See [1].
Fix the following vulnerabilities:
- CVE-2024-32661:
FreeRDP is a free implementation of the Remote Desktop Protocol.
FreeRDP based clients prior to version 3.5.1 are vulnerable to a
possible `NULL` access and crash. Version 3.5.1 contains a patch for
the issue. No known workarounds are available.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-32661
- CVE-2026-23530:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate
`nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before
RLE decode. A malicious server can trigger a client‑side heap buffer
overflow, causing a crash (DoS) and potential heap corruption with
code‑execution risk depending on allocator behavior and surrounding
heap layout. Version 3.21.0 contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23530
- CVE-2026-23531:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, in ClearCodec, when `glyphData` is present,
`clear_decompress` calls `freerdp_image_copy_no_overlap` without
validating the destination rectangle, allowing an out-of-bounds
read/write via crafted RDPGFX surface updates. A malicious server can
trigger a client‑side heap buffer overflow, causing a crash (DoS) and
potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23531
- CVE-2026-23532:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between
destination rectangle clamping and the actual copy size. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23532
- CVE-2026-23533:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
RDPGFX ClearCodec decode path when maliciously crafted residual data
causes out-of-bounds writes during color output. A malicious server
can trigger a client‑side heap buffer overflow, causing a crash (DoS)
and potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23533
- CVE-2026-23534:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
ClearCodec bands decode path when crafted band coordinates allow
writes past the end of the destination surface buffer. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23534
- CVE-2026-23948:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, a NULL pointer dereference vulnerability in
rdp_write_logon_info_v2() allows a malicious RDP server to crash
FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with
cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23948
- CVE-2026-24675:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, urb_select_interface can free the device's MS config on
error but later code still dereferences it, leading to a use after
free in libusb_udev_select_interface. This vulnerability is fixed in
3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24675
- CVE-2026-24676:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, AUDIN format renegotiation frees the active format list
while the capture thread continues using audin->format, leading to a
use after free in audio_format_compatible. This vulnerability is fixed
in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24676
- CVE-2026-24679:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, The URBDRC client uses server-supplied interface numbers as
array indices without bounds checks, causing an out-of-bounds read in
libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24679
- CVE-2026-24681:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, aAsynchronous bulk transfer completions can use a freed
channel callback after URBDRC channel close, leading to a use after
free in urb_write_completion. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24681
- CVE-2026-24682:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, audin_server_recv_formats frees an incorrect number of
audio formats on parse failure (i + i), leading to out-of-bounds
access in audio_formats_free. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24682
- CVE-2026-24683:
FreeRDP is a free implementation of the Remote Desktop Protocol.
ainput_send_input_event caches channel_callback in a local variable
and later uses it without synchronization; a concurrent channel close
can free or reinitialize the callback, leading to a use after free.
Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24683
[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Perale
8d184e5504