FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20632-1 advisory.

    Changes in freerdp2:

    - Update freerdp-3-macro:
      - Add WINPR_ATTR_MALLOC macro from freerdp 3

    - Security fixes for the following issues:
      * CVE-2026-25941: Fixed a out of bounds read (bsc#1258919)
      * CVE-2026-25942: Fixed a buffer overflow in xf_rail_server_execute_result() (bsc#1258920)
      * CVE-2026-27951: Fixed a denial of service in Stream_EnsureCapacity() (bsc#1258939)
      * CVE-2026-25997: Fixed a use-after-free in xf_clipboard_format_equal() (bsc#1258977)
      * CVE-2026-26986: Fixed a use-after-free in rail_window_free() (bsc#1258967)
      * CVE-2026-27015: Fixed a client denial of service via reachable assert (bsc#1258987)
      * CVE-2026-25952: Fixed a use-after-free in xf_SetWindowMinMaxInfo() (bsc#1258921)
      * CVE-2026-25953: Fixed a use-after-free in xf_AppUpdateWindowFromSurface() (bsc#1258923)
      * CVE-2026-25954: Fixed a use-after-free in xf_rail_server_local_move_size() (bsc#1258924)
      * CVE-2026-24684: Fixed a use-after-free in play_thread() (bsc#1257991).
      * CVE-2026-26271: Fixed a buffer overread in icon processing (bsc#1258979)
      * CVE-2026-26955: Fixed a out of bounds write (bsc#1258982)
      * CVE-2026-26965: Fixed a out of bounds write (bsc#1258985)
      * CVE-2026-31806: Fixed a buffer overflow via improper validation of server messages (bsc#1259653)
      * CVE-2026-31883: Fixed a buffer overflow via crafted audio format and wave data (bsc#1259679)
      * CVE-2026-31885: Fixed a out of bounds read (bsc#1259686)
      * CVE-2026-24491: Fix use-after-free that was accidentally introduced in the backport (bsc#1257981)
      * CVE-2026-22855: Fixed a buffer overflow in smartcard_unpack_set_attrib_call() (bsc#1256721)
      * CVE-2026-22857: Fixed a use-after-free in irp_thread_func() (bsc#1256723)
      * CVE-2026-23533: Fixed a buffer overflow in clear_decompress_residual_data() (bsc#1256943)
      * CVE-2026-23732: Fixed a buffer overflow in Glyph_Alloc() (bsc#1256945)
      * CVE-2026-23883: Fixed a use-after-free (bsc#1256946)
      * CVE-2026-23884: Fixed a use-after-free in gdi_set_bounds (bsc#1256947)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1640-1 advisory.

    - CVE-2026-25941: Out-of-Bounds Read in client RDPGFX channel via crafted `WIRE_TO_SURFACE_2` PDU     (bsc#1258919).
    - CVE-2026-25942: Global-buffer-overflow in `xf_rail_server_execute_result` (bsc#1258920).
    - CVE-2026-25952: Heap-use-after-free in `xf_SetWindowMinMaxInfo` (bsc#1258921).
    - CVE-2026-25953: Heap-use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258923).
    - CVE-2026-25954: Heap-use-after-free in `xf_rail_server_local_move_size` (bsc#1258924).
    - CVE-2026-25997: Heap-use-after-free in `xf_clipboard_format_equal` (bsc#1258977).
    - CVE-2026-26986: Heap-use-after-free in `rail_window_free` (bsc#1258967).
    - CVE-2026-27015: Smartcard NDR alignment padding triggers reachable `WINPR_ASSERT` abort (bsc#1258987).
    - CVE-2026-27951: Denial of Service via endless blocking loop in `Stream_EnsureCapacity` (bsc#1258939).
    - CVE-2026-29774: Missing bounds validation can cause a client-side heap buffer overflow (bsc#1259689).
    - CVE-2026-29775: Malicious server can trigger a client-side heap out-of-bounds access (bsc#1259684).
    - CVE-2026-29776: Missing length check can lead to an integer underflow (bsc#1259692).
    - CVE-2026-31897: Missing length check can cause an out-of-bounds read (bsc#1259693).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1633-1 advisory.

    - CVE-2026-25941: Out-of-Bounds Read in client RDPGFX channel via crafted `WIRE_TO_SURFACE_2` PDU     (bsc#1258919).
    - CVE-2026-25942: Global-buffer-overflow in `xf_rail_server_execute_result` (bsc#1258920).
    - CVE-2026-25952: Heap-use-after-free in `xf_SetWindowMinMaxInfo` (bsc#1258921).
    - CVE-2026-25953: Heap-use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258923).
    - CVE-2026-25954: Heap-use-after-free in `xf_rail_server_local_move_size` (bsc#1258924).
    - CVE-2026-25955: Heap-use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258973).
    - CVE-2026-25959: Heap-use-after-free in `xf_cliprdr_provide_data_` (bsc#1258976).
    - CVE-2026-25997: Heap-use-after-free in `xf_clipboard_format_equal` (bsc#1258977).
    - CVE-2026-26986: Heap-use-after-free in `rail_window_free` (bsc#1258967).
    - CVE-2026-27015: Smartcard NDR alignment padding triggers reachable `WINPR_ASSERT` abort (bsc#1258987).
    - CVE-2026-27950: Denial of service due to incomplete fix for heap-use-after-free vulnerability     (bsc#1258941).
    - CVE-2026-27951: Denial of service via endless blocking loop in `Stream_EnsureCapacity` (bsc#1258939).
    - CVE-2026-29774: Missing bounds validation can cause a client-side heap buffer overflow (bsc#1259689).
    - CVE-2026-29775: Malicious server can trigger a client-side heap out-of-bounds access (bsc#1259684).
    - CVE-2026-29776: Missing length check can lead to an integer underflow (bsc#1259692).
    - CVE-2026-31897: Missing length check can cause an out-of-bounds read (bsc#1259693).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1634-1 advisory.

    - CVE-2026-25941: Out-of-Bounds Read in client RDPGFX channel via crafted `WIRE_TO_SURFACE_2` PDU     (bsc#1258919).
    - CVE-2026-25942: Global-buffer-overflow in `xf_rail_server_execute_result` (bsc#1258920).
    - CVE-2026-25952: Heap-use-after-free in `xf_SetWindowMinMaxInfo` (bsc#1258921).
    - CVE-2026-25953: Heap-use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258923).
    - CVE-2026-25954: Heap-use-after-free in `xf_rail_server_local_move_size` (bsc#1258924).
    - CVE-2026-25997: Heap-use-after-free in `xf_clipboard_format_equal` (bsc#1258977).
    - CVE-2026-26986: Heap-use-after-free in `rail_window_free` (bsc#1258967).
    - CVE-2026-27015: Smartcard NDR alignment padding triggers reachable `WINPR_ASSERT` abort (bsc#1258987).
    - CVE-2026-27951: Denial of service via endless blocking loop in `Stream_EnsureCapacity` (bsc#1258939).
    - CVE-2026-29774: Missing bounds validation can cause a client-side heap buffer overflow (bsc#1259689).
    - CVE-2026-29775: Malicious server can trigger a client-side heap out-of-bounds access (bsc#1259684).
    - CVE-2026-29776: Missing length check can lead to an integer underflow (bsc#1259692).
    - CVE-2026-31897: Missing length check can cause an out-of-bounds read (bsc#1259693).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1632-1 advisory.

    - CVE-2026-25941: Out-of-Bounds Read in client RDPGFX channel via crafted `WIRE_TO_SURFACE_2` PDU     (bsc#1258919).
    - CVE-2026-25942: Global-buffer-overflow in `xf_rail_server_execute_result` (bsc#1258920).
    - CVE-2026-25952: Heap-use-after-free in `xf_SetWindowMinMaxInfo` (bsc#1258921).
    - CVE-2026-25953: Heap-use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258923).
    - CVE-2026-25954: Heap-use-after-free in `xf_rail_server_local_move_size` (bsc#1258924).
    - CVE-2026-25997: Heap-use-after-free in `xf_clipboard_format_equal` (bsc#1258977).
    - CVE-2026-26986: Heap-use-after-free in `rail_window_free` (bsc#1258967).
    - CVE-2026-27015: Smartcard NDR alignment padding triggers reachable `WINPR_ASSERT` abort (bsc#1258987).
    - CVE-2026-27951: Denial of service via endless blocking loop in `Stream_EnsureCapacity` (bsc#1258939).
    - CVE-2026-29774: Missing bounds validation can cause a client-side heap buffer overflow (bsc#1259689).
    - CVE-2026-29775: Malicious server can trigger a client-side heap out-of-bounds access (bsc#1259684).
    - CVE-2026-29776: Missing length check can lead to an integer underflow (bsc#1259692).
    - CVE-2026-31897: Missing length check can cause an out-of-bounds read (bsc#1259693).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1635-1 advisory.

    - CVE-2026-25941: Out-of-Bounds Read in client RDPGFX channel via crafted `WIRE_TO_SURFACE_2` PDU     (bsc#1258919).
    - CVE-2026-25942: Global-buffer-overflow in `xf_rail_server_execute_result` (bsc#1258920).
    - CVE-2026-25952: Heap-use-after-free in `xf_SetWindowMinMaxInfo` (bsc#1258921).
    - CVE-2026-25953: Heap-use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258923).
    - CVE-2026-25954: Heap-use-after-free in `xf_rail_server_local_move_size` (bsc#1258924).
    - CVE-2026-25997: Heap-use-after-free in `xf_clipboard_format_equal` (bsc#1258977).
    - CVE-2026-26986: Heap-use-after-free in `rail_window_free` (bsc#1258967).
    - CVE-2026-27015: Smartcard NDR alignment padding triggers reachable `WINPR_ASSERT` abort (bsc#1258987).
    - CVE-2026-27951: Denial of service via endless blocking loop in `Stream_EnsureCapacity` (bsc#1258939).
    - CVE-2026-29774: Missing bounds validation can cause a client-side heap buffer overflow (bsc#1259689).
    - CVE-2026-29775: Malicious server can trigger a client-side heap out-of-bounds access (bsc#1259684).
    - CVE-2026-29776: Missing length check can lead to an integer underflow (bsc#1259692).
    - CVE-2026-31897: Missing length check can cause an out-of-bounds read (bsc#1259693).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1512 advisory.

    FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to     2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP     client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a     crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet.
    This can lead to information disclosure or client crashes when a user connects to a malicious server.
    Versions 2.11.8 and 3.23.0 fix the issue. (CVE-2026-25941)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0-6)     with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read     when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
    (CVE-2026-25942)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in     `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the     main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread     is still using the pointer. Version 3.23.0 fixes the issue. (CVE-2026-25952)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a     bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can     concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
    (CVE-2026-25953)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window`     returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently     delete the window (via a window delete order) while the RAIL channel thread is still using the pointer.
    Version 3.23.0 fixes the issue. (CVE-2026-25954)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX     surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the     `appWindow->image` that aliases it. Version 3.23.0 fixes the issue. (CVE-2026-25955)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread     calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding     any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` - `HashTable_Clear`     which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0     fixes the issue. (CVE-2026-25959)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free`     (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread     concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes     the issue. (CVE-2026-25997)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer     overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted     RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon     data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue. (CVE-2026-26271)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because     `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the     entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect.
    Version 3.23.0 fixes the vulnerability. (CVE-2026-26986)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds     check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a     malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` - `abort()`. The crash     occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR     CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp     /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue. (CVE-2026-27015)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the     heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow     referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to     the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a     situation where the advisory suggests the vulnerability is fully resolved, while builds or environments     still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.
    (CVE-2026-27950)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function     `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server     implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the     available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are     available. (CVE-2026-27951)

    A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The     `gdi_surface_bits()` function, which processes `SURFACE_BITS_COMMAND` messages, does not properly validate     image dimensions (`bmp.width` and `bmp.height`) provided by a malicious RDP server. This can lead to a     heap buffer overflow during bitmap decoding and memory operations. A remote attacker could exploit this to     overwrite adjacent memory, potentially resulting in arbitrary code execution. (CVE-2026-31806)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of freerdp installed on the remote host is prior to 2.11.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3221 advisory.

    FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to     2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP     client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a     crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet.
    This can lead to information disclosure or client crashes when a user connects to a malicious server.
    Versions 2.11.8 and 3.23.0 fix the issue. (CVE-2026-25941)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0-6)     with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read     when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
    (CVE-2026-25942)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in     `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the     main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread     is still using the pointer. Version 3.23.0 fixes the issue. (CVE-2026-25952)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a     bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can     concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
    (CVE-2026-25953)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window`     returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently     delete the window (via a window delete order) while the RAIL channel thread is still using the pointer.
    Version 3.23.0 fixes the issue. (CVE-2026-25954)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free`     (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread     concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes     the issue. (CVE-2026-25997)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer     overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted     RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon     data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue. (CVE-2026-26271)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,     `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because     `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the     entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect.
    Version 3.23.0 fixes the vulnerability. (CVE-2026-26986)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds     check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a     malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` - `abort()`. The crash     occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR     CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp     /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue. (CVE-2026-27015)

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function     `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server     implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the     available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are     available. (CVE-2026-27951)

    A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The     `gdi_surface_bits()` function, which processes `SURFACE_BITS_COMMAND` messages, does not properly validate     image dimensions (`bmp.width` and `bmp.height`) provided by a malicious RDP server. This can lead to a     heap buffer overflow during bitmap decoding and memory operations. A remote attacker could exploit this to     overwrite adjacent memory, potentially resulting in arbitrary code execution. (CVE-2026-31806)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8105-1 advisory.

    It was discovered that FreeRDP incorrectly handled certain RDP packets. A remote attacker could use this     issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function     `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server     implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the     available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are     available. (CVE-2026-27951)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
311767	openSUSE 16 Security Update : freerdp2 (openSUSE-SU-2026:20632-1)	Nessus	SuSE Local Security Checks	critical
311755	SUSE SLED15 / SLES15 Security Update : freerdp2 (SUSE-SU-2026:1640-1)	Nessus	SuSE Local Security Checks	critical
310650	SUSE SLED15 / SLES15 Security Update : freerdp (SUSE-SU-2026:1633-1)	Nessus	SuSE Local Security Checks	medium
310649	SUSE SLES15 Security Update : freerdp (SUSE-SU-2026:1634-1)	Nessus	SuSE Local Security Checks	medium
310648	SUSE SLES15 Security Update : freerdp (SUSE-SU-2026:1632-1)	Nessus	SuSE Local Security Checks	medium
310647	SUSE SLES12 Security Update : freerdp (SUSE-SU-2026:1635-1)	Nessus	SuSE Local Security Checks	medium
304607	Amazon Linux 2023 : freerdp, freerdp-devel, freerdp-libs (ALAS2023-2026-1512)	Nessus	Amazon Linux Local Security Checks	critical
304573	Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3221 (ALAS-2026-3221)	Nessus	Amazon Linux Local Security Checks	critical
303026	Ubuntu 24.04 LTS / 25.10 : FreeRDP vulnerabilities (USN-8105-1)	Nessus	Ubuntu Local Security Checks	high
300278	Linux Distros Unpatched Vulnerability : CVE-2026-27951	Nessus	Misc.	high

Detections

Analytics

CVE-2026-27951

high

Tenable Plugins

critical

critical

medium

medium

medium

medium

critical

critical

high

high