[ubuntu/noble-updates] freerdp3 3.5.1+dfsg1-0ubuntu1.4 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Wed Mar 18 17:30:47 UTC 2026 

freerdp3 (3.5.1+dfsg1-0ubuntu1.4) noble-security; urgency=medium

  * SECURITY UPDATE: use-after-free via race condition
    - debian/patches/CVE-2026-22851-pre1.patch: replace std::lock_guard
      with std::scoped_lock in client/SDL/dialogs/sdl_dialogs.cpp,
      client/SDL/sdl_freerdp.cpp,
      server/proxy/modules/dyn-channel-dump/dyn-channel-dump.cpp.
    - debian/patches/CVE-2026-22851.patch: lock primary while used in
      client/SDL/sdl_freerdp.cpp.
    - CVE-2026-22851
  * SECURITY UPDATE: heap-buffer-overflow via Audio Input format lists
    - debian/patches/CVE-2026-22852.patch: free up old audio formats in
      channels/audin/client/audin_main.c.
    - CVE-2026-22852
  * SECURITY UPDATE: heap-buffer-overflow in drive read
    - debian/patches/CVE-2026-22854.patch: fix constant type in
      channels/drive/client/drive_main.c.
    - CVE-2026-22854
  * SECURITY UPDATE: heap OOB read in the smartcard SetAttrib path
    - debian/patches/CVE-2026-22855.patch: add length validity checks in
      libfreerdp/utils/smartcard_pack.c.
    - CVE-2026-22855
  * SECURITY UPDATE: race in the serial channel IRP thread tracking
    - debian/patches/CVE-2026-22856-pre1.patch: fix IrpThread handling in
      channels/serial/client/serial_main.c.
    - debian/patches/CVE-2026-22856-1.patch: lock list dictionary in
      channels/serial/client/serial_main.c.
    - debian/patches/CVE-2026-22856-2.patch: explicitly lock
      serial->IrpThreads in channels/serial/client/serial_main.c.
    - CVE-2026-22856
  * SECURITY UPDATE: heap use-after-free in irp_thread_func
    - debian/patches/CVE-2026-22857.patch: fix use after free in
      channels/serial/client/serial_main.c.
    - CVE-2026-22857
  * SECURITY UPDATE: global-buffer-overflow in Base64 decoding
    - debian/patches/CVE-2026-22858-1.patch: ensure char is singend in
      libfreerdp/crypto/base64.c.
    - debian/patches/CVE-2026-22858-2.patch: do proper length checks in
      libfreerdp/crypto/base64.c.
    - CVE-2026-22858
  * SECURITY UPDATE: OOB read via MSUSB_INTERFACE_DESCRIPTOR values
    - debian/patches/CVE-2026-22859.patch: check interface indices before
      use in channels/urbdrc/client/data_transfer.c,
      channels/urbdrc/client/libusb/libusb_udevice.c,
      channels/urbdrc/client/libusb/libusb_udevice.c.
    - CVE-2026-22859
  * SECURITY UPDATE: heap buffer overflow in RLE decode
    - debian/patches/CVE-2026-23530.patch: fix decoder length checks in
      libfreerdp/codec/planar.c.
    - CVE-2026-23530
  * SECURITY UPDATE: OOB read/write via crafted RDPGFX surface updates
    - debian/patches/CVE-2026-23531-1.patch: fix missing length checks in
      libfreerdp/codec/clear.c.
    - debian/patches/CVE-2026-23531-2.patch: check clear_decomress
      glyphData in libfreerdp/codec/clear.c.
    - CVE-2026-23531
  * SECURITY UPDATE: client-side heap overflow in gdi_SurfaceToSurface
    - debian/patches/CVE-2026-23532.patch: properly clamp SurfaceToSurface
      in libfreerdp/gdi/gfx.c.
    - CVE-2026-23532
  * SECURITY UPDATE: client-side heap overflow in RDPGFX ClearCodec
    - debian/patches/CVE-2026-23533.patch: fix clear_resize_buffer checks
      in libfreerdp/codec/clear.c.
    - CVE-2026-23533
  * SECURITY UPDATE: client-side heap overflow in ClearCodec bands decode
    - debian/patches/CVE-2026-23534.patch: fix off by one length check in
      libfreerdp/codec/clear.c.
    - CVE-2026-23534
  * SECURITY UPDATE: overflow in FastGlyph parsing
    - debian/patches/CVE-2026-23732.patch: add freerdp_glyph_convert_ex in
      include/freerdp/codec/color.h, libfreerdp/codec/color.c.
    - debian/libfreerdp3-3.symbols: added new symbol.
    - CVE-2026-23732
  * SECURITY UPDATE: client‑side use after free via invalid Pointer
    - debian/patches/CVE-2026-23883.patch: fix double free in case of
      invalid pointer in client/X11/xf_graphics.c.
    - CVE-2026-23883
  * SECURITY UPDATE: client-side UaF via offscreen bitmap deletion
    - debian/patches/CVE-2026-23884.patch: invalidate bitmap before free in
      libfreerdp/cache/offscreen.c.
    - CVE-2026-23884
  * SECURITY UPDATE: OOB read in RDPGFX channel
    - debian/patches/CVE-2026-25941.patch: check available stream length in
      channels/rdpgfx/client/rdpgfx_main.c.
    - CVE-2026-25941
  * SECURITY UPDATE: OOB read via execResult value
    - debian/patches/CVE-2026-25942.patch: stringfiy functions for RAILS in
      client/X11/xf_rail.c.
    - CVE-2026-25942
  * SECURITY UPDATE: multiple window issues
    - debian/patches/CVE-2026-25952_3_4.patch: lock appWindow in
      client/X11/xf_event.c, client/X11/xf_graphics.c,
      client/X11/xf_rail.c, client/X11/xf_rail.h, client/X11/xf_window.c,
      client/X11/xf_window.h.
    - CVE-2026-25952
    - CVE-2026-25953
    - CVE-2026-25954
  * SECURITY UPDATE: use after free RDPGFX surface buffer
    - debian/patches/CVE-2026-25955.patch: destroy XImage on window unmap
      in client/X11/xf_gfx.c, client/X11/xf_window.c,
      client/X11/xf_window.h.
    - CVE-2026-25955
  * SECURITY UPDATE: use after free in xf_cliprdr_provide_data_
    - debian/patches/CVE-2026-25959.patch: lock cache when providing data
      in client/X11/xf_cliprdr.c.
    - CVE-2026-25959
  * SECURITY UPDATE: use after free in xf_clipboard_format_equal
    - debian/patches/CVE-2026-25997.patch: fix clipboard update in
      client/X11/xf_cliprdr.c.
    - CVE-2026-25997
  * SECURITY UPDATE: buffer overread in freerdp_image_copy_from_icon_data()
    - debian/patches/CVE-2026-26271.patch: fix input length checks in
      libfreerdp/codec/color.c.
    - CVE-2026-26271
  * SECURITY UPDATE: heap buffer overflow in GDI surface pipeline
    - debian/patches/CVE-2026-26955.patch: fix destination checks in
      libfreerdp/codec/clear.c.
    - CVE-2026-26955
  * SECURITY UPDATE: OOB write in RLE planar decode path
    - debian/patches/CVE-2026-26965.patch: fix missing destination bounds
      checks in libfreerdp/codec/planar.c.
    - CVE-2026-26965
  * SECURITY UPDATE: use after free in rail_window_free
    - debian/patches/CVE-2026-26986.patch: fix xf_rail_window_common
      cleanup in client/X11/xf_rail.c.
    - CVE-2026-26986
  * SECURITY UPDATE: reachable assert via missing bounds check in
    smartcard_unpack_read_size_align()
    - debian/patches/CVE-2026-27015.patch: check stream length on padding
      in libfreerdp/utils/smartcard_operations.c,
      libfreerdp/utils/smartcard_pack.c.
    - CVE-2026-27015
  * SECURITY UPDATE: endless blocking loop in Stream_EnsureCapacity
    - debian/patches/CVE-2026-27951.patch: fix growth of preallocated
      buffers.
    - CVE-2026-27951

Date: 2026-03-16 23:24:10.068574+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/freerdp3/3.5.1+dfsg1-0ubuntu1.4
-------------- next part --------------
Sorry, changesfile not available.

More information about the noble-changes mailing list