Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in
the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio
channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a
size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such
that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header
(4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an
astronomical number of iterations. This vulnerability is fixed in 3.24.0. (CVE-2026-31883)
- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap
buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing
horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function
(line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against
the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using
rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface
buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry
where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream
decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint =
pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the
allocated heap region. This vulnerability is fixed in 3.24.0. (CVE-2026-29774)
- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-
of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in
bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells,
bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is
fixed in 3.24.0. (CVE-2026-29775)
- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in
update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0.
(CVE-2026-29776)
- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits()
function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using
NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the
actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that
exceed the expected surface size. Because these values are used during bitmap decoding and memory
operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can
also control the associated pixel data transmitted by the server, the overflow may be exploitable to
overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0. (CVE-2026-31806)
Solution
Update the freerdp library and its related packages to version 3.24.0-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 3/13/2026