Alpine: multiple freerdp packages: security update to 3.24.0-r0

critical Tenable Cloud Security Plugin ID 438823

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in
the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio
channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a
size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such
that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header
(4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an
astronomical number of iterations. This vulnerability is fixed in 3.24.0. (CVE-2026-31883)

- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap
buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing
horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function
(line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against
the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using
rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface
buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry
where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream
decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint =
pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the
allocated heap region. This vulnerability is fixed in 3.24.0. (CVE-2026-29774)

- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-
of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in
bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells,
bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is
fixed in 3.24.0. (CVE-2026-29775)

- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in
update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0.
(CVE-2026-29776)

- FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits()
function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using
NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the
actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that
exceed the expected surface size. Because these values are used during bitmap decoding and memory
operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can
also control the associated pixel data transmitted by the server, the overflow may be exploitable to
overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0. (CVE-2026-31806)

Solution

Update the freerdp library and its related packages to version 3.24.0-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-29774

https://security.alpinelinux.org/vuln/CVE-2026-29775

https://security.alpinelinux.org/vuln/CVE-2026-29776

https://security.alpinelinux.org/vuln/CVE-2026-31806

https://security.alpinelinux.org/vuln/CVE-2026-31883

https://security.alpinelinux.org/vuln/CVE-2026-31884

https://security.alpinelinux.org/vuln/CVE-2026-31885

https://security.alpinelinux.org/vuln/CVE-2026-31897

Plugin Details

Severity: Critical

ID: 438823

Version: Revision 1.8

Type: Local

Published: 3/16/2026

Updated: 6/12/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.43

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-31883

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-31806

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/13/2026

Reference Information

CVE: CVE-2026-29774, CVE-2026-29775, CVE-2026-29776, CVE-2026-31806, CVE-2026-31883, CVE-2026-31884, CVE-2026-31885, CVE-2026-31897