An update for freerdp is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2439 Final 1.0 1.0 2026-05-22 Initial 2026-05-22 2026-05-22 openEuler SA Tool V1.0 2026-05-22 freerdp security update An update for freerdp is now available for openEuler-24.03-LTS-SP3 FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp. Security Fix(es): A malicious server can trigger a client-side global buffer overflow, causing a crash (denial of service)(CVE-2026-25942) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a heap-use-after-free vulnerability exists in the X11 client backend. Specifically, the `xf_SetWindowMinMaxInfo` function dereferences a freed `xfAppWindow` pointer. This occurs because `xf_rail_get_window` within `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table. The main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer, leading to a dangling pointer. A malicious server can exploit this to trigger a client-side crash (Denial of Service) and potentially cause heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-25952) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the `xf_AppUpdateWindowFromSurface` function reads from a freed `xfAppWindow` object. This occurs because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order, resulting in a use-after-free condition. A malicious server can exploit this vulnerability to trigger a client-side heap use-after-free, causing a crash (Denial of Service) and potentially leading to heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout.(CVE-2026-25953) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the `xf_rail_server_local_move_size` function dereferences a freed `xfAppWindow` pointer. This occurs because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. A malicious server can trigger this client-side heap use-after-free, causing a crash (Denial of Service) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout.(CVE-2026-25954) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` contains an integer overflow vulnerability that can create an endless blocking loop. This may affect all client and server implementations using FreeRDP. For practical exploitation, this will only work on 32-bit systems where the available physical memory is greater than or equal to `SIZE_MAX`.(CVE-2026-27951) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0.(CVE-2026-29774) FreeRDP contains a heap buffer overflow vulnerability in bitmap_cache_put function where an out-of-bounds cacheId can lead to memory corruption.(CVE-2026-29775) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.(CVE-2026-31884) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.(CVE-2026-31897) A vulnerability exists in FreeRDP when processing the ClearCodec protocol, involving a desynchronization in glyph cache counts. An attacker can craft a malicious RDP packet, causing a mismatch in glyph cache counts on the client or server side, which triggers a heap out-of-bounds read. Successful exploitation of this vulnerability could lead to information disclosure, application crash, or create conditions for further attacks.(CVE-2026-33985) An update for freerdp is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical freerdp https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-25942 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-25952 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-25953 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-25954 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-27951 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-29774 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-29775 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31884 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-31897 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-33985 https://nvd.nist.gov/vuln/detail/CVE-2026-25942 https://nvd.nist.gov/vuln/detail/CVE-2026-25952 https://nvd.nist.gov/vuln/detail/CVE-2026-25953 https://nvd.nist.gov/vuln/detail/CVE-2026-25954 https://nvd.nist.gov/vuln/detail/CVE-2026-27951 https://nvd.nist.gov/vuln/detail/CVE-2026-29774 https://nvd.nist.gov/vuln/detail/CVE-2026-29775 https://nvd.nist.gov/vuln/detail/CVE-2026-31884 https://nvd.nist.gov/vuln/detail/CVE-2026-31897 https://nvd.nist.gov/vuln/detail/CVE-2026-33985 openEuler-24.03-LTS-SP3 freerdp-2.11.8-5.oe2403sp3.x86_64.rpm freerdp-debuginfo-2.11.8-5.oe2403sp3.x86_64.rpm freerdp-debugsource-2.11.8-5.oe2403sp3.x86_64.rpm freerdp-devel-2.11.8-5.oe2403sp3.x86_64.rpm freerdp-help-2.11.8-5.oe2403sp3.x86_64.rpm libwinpr-2.11.8-5.oe2403sp3.x86_64.rpm libwinpr-devel-2.11.8-5.oe2403sp3.x86_64.rpm freerdp-2.11.8-5.oe2403sp3.aarch64.rpm freerdp-debuginfo-2.11.8-5.oe2403sp3.aarch64.rpm freerdp-debugsource-2.11.8-5.oe2403sp3.aarch64.rpm freerdp-devel-2.11.8-5.oe2403sp3.aarch64.rpm freerdp-help-2.11.8-5.oe2403sp3.aarch64.rpm libwinpr-2.11.8-5.oe2403sp3.aarch64.rpm libwinpr-devel-2.11.8-5.oe2403sp3.aarch64.rpm freerdp-2.11.8-5.oe2403sp3.src.rpm A malicious server can trigger a client-side global buffer overflow, causing a crash (denial of service) 2026-05-22 CVE-2026-25942 openEuler-24.03-LTS-SP3 Medium 5.5 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a heap-use-after-free vulnerability exists in the X11 client backend. Specifically, the `xf_SetWindowMinMaxInfo` function dereferences a freed `xfAppWindow` pointer. This occurs because `xf_rail_get_window` within `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table. The main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer, leading to a dangling pointer. A malicious server can exploit this to trigger a client-side crash (Denial of Service) and potentially cause heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout. 2026-05-22 CVE-2026-25952 openEuler-24.03-LTS-SP3 Medium 5.5 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the `xf_AppUpdateWindowFromSurface` function reads from a freed `xfAppWindow` object. This occurs because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order, resulting in a use-after-free condition. A malicious server can exploit this vulnerability to trigger a client-side heap use-after-free, causing a crash (Denial of Service) and potentially leading to heap corruption with a risk of code execution, depending on allocator behavior and surrounding heap layout. 2026-05-22 CVE-2026-25953 openEuler-24.03-LTS-SP3 Medium 5.5 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the `xf_rail_server_local_move_size` function dereferences a freed `xfAppWindow` pointer. This occurs because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. A malicious server can trigger this client-side heap use-after-free, causing a crash (Denial of Service) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. 2026-05-22 CVE-2026-25954 openEuler-24.03-LTS-SP3 Medium 5.5 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` contains an integer overflow vulnerability that can create an endless blocking loop. This may affect all client and server implementations using FreeRDP. For practical exploitation, this will only work on 32-bit systems where the available physical memory is greater than or equal to `SIZE_MAX`. 2026-05-22 CVE-2026-27951 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0. 2026-05-22 CVE-2026-29774 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP contains a heap buffer overflow vulnerability in bitmap_cache_put function where an out-of-bounds cacheId can lead to memory corruption. 2026-05-22 CVE-2026-29775 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0. 2026-05-22 CVE-2026-31884 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0. 2026-05-22 CVE-2026-31897 openEuler-24.03-LTS-SP3 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439 A vulnerability exists in FreeRDP when processing the ClearCodec protocol, involving a desynchronization in glyph cache counts. An attacker can craft a malicious RDP packet, causing a mismatch in glyph cache counts on the client or server side, which triggers a heap out-of-bounds read. Successful exploitation of this vulnerability could lead to information disclosure, application crash, or create conditions for further attacks. 2026-05-22 CVE-2026-33985 openEuler-24.03-LTS-SP3 Medium 5.9 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L freerdp security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2439