Все бюллетени/p10/ALT-PU-2026-8423-4
ALT-PU-2026-8423-4

Обновление пакета freerdp3 в ветке p10

Версия3.26.0-alt1
Задание#419118
Опубликовано2026-06-04
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (9)

BDU:2026-07426
HIGH8.8

Уязвимость функции gdi_CacheToSurface() RDP-клиента FreeRDP, позволяющая нарушителю выполнить произвольный код и вызвать отказ в обслуживании

Опубликовано: 2026-05-27
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2026-07646
HIGH8.8

Уязвимость функции cliprdr_server_receive_pdu() RDP-клиента FreeRDP, позволяющая нарушителю выполнить произвольный код и вызвать отказ в обслуживании

Опубликовано: 2026-06-01
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
Ссылки
BDU:2026-07647
HIGH8.8

Уязвимость функции gdi_CreateSurface() RDP-клиента FreeRDP, позволяющая нарушителю выполнить произвольный код и вызвать отказ в обслуживании

Опубликовано: 2026-06-01
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
Ссылки
CVE-2026-40033
HIGH8.7

FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash.

Опубликовано: 2026-05-26Изменено: 2026-05-27
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0ВЫСОКАЯ 8.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-40254
MEDIUM6.1

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.

Опубликовано: 2026-04-24Изменено: 2026-04-27
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2026-44420
HIGH8.8

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0.

Опубликовано: 2026-05-29Изменено: 2026-06-02
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2026-44421
HIGH8.8

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0.

Опубликовано: 2026-05-29Изменено: 2026-06-01
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ссылки
CVE-2026-44422
HIGH8.8

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.

Опубликовано: 2026-05-29Изменено: 2026-06-01
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ссылки
CVE-2026-45700
HIGH7.7

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.

Опубликовано: 2026-05-29Изменено: 2026-06-01
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки