{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2023-39355: fix use-after-free in RDPGFX_CMDID_RESETGRAPHICS handling when\n context->maxPlaneSize == 0; update context->planesBuffer after free and\n prevent access to freed memory\n- CVE-2026-26965: fix heap out-of-bounds write in RLE planar decode that permit\n attacker-controlled pixel data and offset overwrite adjacent function pointer;\n validate (nYDst+nSrcHeight) and (nXDst+nSrcWidth) against destination bounds\n and ensure writes use correct buffer, prevent OOB write\n- CVE-2026-26955: fix heap buffer overflow in GDI surface pipeline caused by\n out-of-bounds ClearCodec destination rectangle; add top-level guard in\n clear_decompress() to validate nXDst/nYDst against destination surface\n dimensions protecting all code paths (bands, residual, glyph, subcodec);\n fix subcodec bounds checks to compare against destination dimensions", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos7els/advisories/2026/clsa-2026_1775223344.json" } ], "tracking": { "current_release_date": "2026-04-13T09:51:12Z", "generator": { "date": "2026-04-13T09:51:12Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1775223344", "initial_release_date": "2026-04-03T13:35:46Z", "revision_history": [ { "date": "2026-04-03T13:35:46Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-13T09:51:12Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "freerdp: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 7", "product": { "name": "Community Enterprise Operating System 7", "product_id": "CentOS-7", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product": { "name": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_id": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libwinpr-devel@2.1.1-5.el7_9.tuxcare.els19?arch=x86_64" } } }, { "category": "product_version", "name": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product": { "name": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_id": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libwinpr@2.1.1-5.el7_9.tuxcare.els19?arch=x86_64" } } }, { "category": "product_version", "name": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product": { "name": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_id": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/freerdp-devel@2.1.1-5.el7_9.tuxcare.els19?arch=x86_64" } } }, { "category": "product_version", "name": "freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product": { "name": "freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_id": "freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/freerdp@2.1.1-5.el7_9.tuxcare.els19?arch=x86_64" } } }, { "category": "product_version", "name": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product": { "name": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_id": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/freerdp-libs@2.1.1-5.el7_9.tuxcare.els19?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product": { "name": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_id": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libwinpr-devel@2.1.1-5.el7_9.tuxcare.els19?arch=i686" } } }, { "category": "product_version", "name": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product": { "name": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_id": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libwinpr@2.1.1-5.el7_9.tuxcare.els19?arch=i686" } } }, { "category": "product_version", "name": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product": { "name": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_id": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/freerdp-devel@2.1.1-5.el7_9.tuxcare.els19?arch=i686" } } }, { "category": "product_version", "name": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product": { "name": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_id": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/freerdp-libs@2.1.1-5.el7_9.tuxcare.els19?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" }, "product_reference": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686" }, "product_reference": "libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" }, "product_reference": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686" }, "product_reference": "libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" }, "product_reference": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686" }, "product_reference": "freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" }, "product_reference": "freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" }, "product_reference": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686" }, "product_reference": "freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "relates_to_product_reference": "CentOS-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-25941", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25941" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2", "url": "https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8" } ], "release_date": "2026-02-25T20:23:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-25953", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25953" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1237", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1237" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L257-L290", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L257-L290" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L643-L647", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L643-L647" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1394-L1428", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1394-L1428" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1462-L1470", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1462-L1470" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1491", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1491" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L254-L286", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L254-L286" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L278-L279", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L278-L279" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5", "url": "https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6rq-rxpc-rh3p", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6rq-rxpc-rh3p" } ], "release_date": "2026-02-25T21:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] }, { "cve": "CVE-2026-25954", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25954" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1076", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1076" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1133", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1133" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1347", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1347" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1350-L1359", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1350-L1359" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L647", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L647" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5", "url": "https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cc88-4j37-mw6j", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cc88-4j37-mw6j" } ], "release_date": "2026-02-25T21:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-25959", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25959" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L1229-L1243", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L1229-L1243" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L1337-L1344", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L1337-L1344" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L200-L208", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L200-L208" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2295", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2295" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2323-L2334", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2323-L2334" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2363", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L2363" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L933", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_cliprdr.c#L933" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/d3e8b3b9365be96a4f11dda149d71b3287227d0a", "url": "https://github.com/FreeRDP/FreeRDP/commit/d3e8b3b9365be96a4f11dda149d71b3287227d0a" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78xg-v4p2-4w3c", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78xg-v4p2-4w3c" } ], "release_date": "2026-02-25T21:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] }, { "cve": "CVE-2026-26955", "cwe": { "id": "CWE-805", "name": "Buffer Access with Incorrect Length Value" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-26955" } ], "release_date": "2026-02-25T20:47:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-26965", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-26965" } ], "release_date": "2026-02-25T20:59:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-25952", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25952" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1167", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1167" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1174", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1174" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1178", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1178" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L643", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L643" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1111", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1111" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1128", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1128" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1394", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1394" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1428", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1428" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5", "url": "https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqm-cwjg-7w9x", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqm-cwjg-7w9x" } ], "release_date": "2026-02-25T21:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] }, { "cve": "CVE-2026-27951", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-27951" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/118afc0b954ba9d5632b7836ad24e454555ed113", "url": "https://github.com/FreeRDP/FreeRDP/commit/118afc0b954ba9d5632b7836ad24e454555ed113" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcfc-ghxr-h927", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcfc-ghxr-h927" } ], "release_date": "2026-02-25T22:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-26986", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-26986" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1297", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1297" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1316-L1327", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1316-L1327" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L386-L394", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L386-L394" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L395-L399", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L395-L399" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L401-L404", "url": "https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L401-L404" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51", "url": "https://github.com/FreeRDP/FreeRDP/commit/b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-crqx-g6x5-rx47", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-crqx-g6x5-rx47" } ], "release_date": "2026-02-25T22:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-25942", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25942" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L528", "url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L528" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L75-L76", "url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L75-L76" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L1014-L1017", "url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L1014-L1017" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L40-L46", "url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L40-L46" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/9362a0bf8dda04eedbca07d5dfaec1044e67cc6b", "url": "https://github.com/FreeRDP/FreeRDP/commit/9362a0bf8dda04eedbca07d5dfaec1044e67cc6b" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6" } ], "release_date": "2026-02-25T21:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2023-39355", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "description", "text": "FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Versions of FreeRDP on the 3.x release branch before beta3 are subject to a Use-After-Free in processing `RDPGFX_CMDID_RESETGRAPHICS` packets. If `context->maxPlaneSize` is 0, `context->planesBuffer` will be freed. However, without updating `context->planesBuffer`, this leads to a Use-After-Free exploit vector. In most environments this should only result in a crash. This issue has been addressed in version 3.0.0-beta3 and users of the beta 3.x releases are advised to upgrade. There are no known workarounds for this vulnerability.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-39355" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/commit/d6f9d33a7db0b346195b6a15b5b99944ba41beee", "url": "https://github.com/FreeRDP/FreeRDP/commit/d6f9d33a7db0b346195b6a15b5b99944ba41beee" }, { "category": "external", "summary": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202401-16", "url": "https://security.gentoo.org/glsa/202401-16" } ], "release_date": "2023-08-31T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-03T13:35:46.913060Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344", "product_ids": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775223344" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:freerdp-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:freerdp-libs-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-0:2.1.1-5.el7_9.tuxcare.els19.x86_64", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.i686", "CentOS-7:libwinpr-devel-0:2.1.1-5.el7_9.tuxcare.els19.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] } ] }