openSUSE 16 Security Update : freerdp (openSUSE-SU-2026:20657-1)

critical Nessus Plugin ID 312116

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20657-1 advisory.

Update to version 3.24.2.

Security issues fixed:

- CVE-2026-25941: out-of-bounds read in the FreeRDP client RDPGFX channel (bsc#1258919).
- CVE-2026-25942: buffer overflow of global array in `xf_rail_server_execute_result` (bsc#1258920).
- CVE-2026-25952: heap use-after-free in `xf_SetWindowMinMaxInfo` (bsc#1258921).
- CVE-2026-25953: heap use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258923).
- CVE-2026-25954: heap use-after-free in `xf_rail_server_local_move_size` (bsc#1258924).
- CVE-2026-25955: heap use-after-free in `xf_AppUpdateWindowFromSurface` (bsc#1258973).
- CVE-2026-25959: heap use-after-free in `xf_cliprdr_provide_data_` (bsc#1258976).
- CVE-2026-25997: heap use-after-free in `xf_clipboard_format_equal` (bsc#1258977).
- CVE-2026-26271: buffer overread in FreeRDP icon processing (bsc#1258979).
- CVE-2026-26955: out-of-bounds write in FreeRDP clients using the GDI surface pipeline (bsc#1258982).
- CVE-2026-26965: out-of-bounds write in FreeRDP client RLE planar decode path (bsc#1258985).
- CVE-2026-29774: heap buffer overflow in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path (bsc#1259689).
- CVE-2026-29775: out-of-bounds access in the FreeRDP client bitmap cache subsystem (bsc#1259684).
- CVE-2026-29776: integer underflow in `update_read_cache_bitmap_order` (bsc#1259692).
- CVE-2026-31806: heap buffer overflow in `nsc_process_message` (bsc#1259653).
- CVE-2026-31883: heap buffer overwrite due to a `size_t` underflow in the IMA-ADPCM and MS-ADPCM audio decoders (bsc#1259679).
- CVE-2026-31884: division by zero in MS-ADPCM and IMA-ADPCM decoders (bsc#1259680).
- CVE-2026-31885: out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders (bsc#1259686).
- CVE-2026-31897: out-of-bounds read in `freerdp_bitmap_decompress_planar` (bsc#1259693).
- CVE-2026-33952: client-side crash due to `WINPR_ASSERT()` failure in `rts_read_auth_verifier_no_checks()` (bsc#1261196).
- CVE-2026-33977: client-side crash due to `WINPR_ASSERT()` failure in IMA ADPCM audio decoder (bsc#1261198).
- CVE-2026-33982: heap buffer overread in in `winpr_aligned_offset_recalloc` (bsc#1261222).
- CVE-2026-33983: undefined behavior and resource exhaustion via 80 billion iteration loop in `progressive_decompress_tile_upgrade` (bsc#1261200).
- CVE-2026-33984: heap buffer overflow in ClearCodec `resize_vbar_entry` (bsc#1261211).
- CVE-2026-33985: heap out-of-bounds read in `clear_decompress_glyph_data` (bsc#1261217).
- CVE-2026-33986: heap out-of-bounds write due to H.264 YUV buffer dimension desync (bsc#1261223).
- CVE-2026-33987: heap out-of-bounds write due to persistent cache bmpSize desync (bsc#1261226).
- CVE-2026-33995: double-free vulnerability in `kerberos_AcceptSecurityContext` and `kerberos_InitializeSecurityContextA` (bsc#1261227).

Other updates and bugfixes:

- Version 3.24.2:
* [channels,video] fix wrong cast (#12511)
* [codec,openh264] reject encoder ABI mismatch on runtime-loaded library (#12510)
* [client,sdl] create a copy of rdpPointer (#12512)
* [codec,video] properly pass intermediate format (#12518)
* [utils, signal] lazily initialize Windows CRITICAL_SECTION to match POSIX static mutex behavior (#12520) winpr:
improve libunwind backtraces (#12530)
* [server,shadow] remember selected caps (#12528)
* Zero credential data before free in NLA and NTLM context (#12532)
* [server,proxy] ignore missing client in input channel (#12536)
* [server,proxy] ignore rdpdr messages (#12537)
* [winpr,sspi] improve kerberos logging (#12538)
* Codec fixes (#12542)

- Version 3.24.1:
* [warnings] fix various sign and cast warnings (#12480)
* [client,x11] start with xfc->remote_app = TRUE; (#12491)
* Sam file read regression fix (#12484)
* [ncrypt,smartcardlogon] support ECC keys in PKCS#11 smartcard enumeration (#12490)
* Fix: memory leak in rdp_client_establish_keys() (#12494)
* Fix memory leak in freerdp_settings_int_buffer_copy() on error paths (libfreerdp/core/settings.c) (#12486)
* Code Cleanups (#12493)
* Fix: memory leak in PCSC_SCardListReadersW() (#12495)
* [channels,telemetry] use dynamic logging (#12496)
* [channel,gfx] use generic plugin log (@12498, #12499)
* [channels,audin] set error when audio_format_read fails (#12500)
* [channels,video] unify error handling (#12502)
* Fastpath fine grained lock (#12503)
* [core,update] make the PlaySound callback non-mandatory (#12504)
* Refinements: RPM build updates, FIPS improvements (#12506)

- Version 3.24.0:
* Completed the [[nodiscard]] marking of the API to warn about problematic
* unchecked use of functions
* Added full C23 support (default stays at C11) to allow new compilers
* to do stricter checking
* Improved X11 and SDL3 clients
* Improved smartcard support
* proxy now supports RFX graphics mode
* Attribute nodiscard related chanes (#12325, #12360, #12395, #12406, #12421, #12426, #12177, #12403, #12405, #12407, #12409, #12408, #12412, #12413)
* c23 related improvements (#12368, #12371, #12379, #12381, #12383, #12385, #12386, #12387, #12384)
* Generic code cleanups (#12382, #12439, #12455, #12462, #12399, #12473) [core,utils] ignore NULL values in remove_rdpdr_type (#12372)
* [codec,fdk] revert use of WinPR types (#12373)
* [core,gateway] ignore incomplete rpc header (#12375, #12376)
* [warnings] make function declaration names consistent (#12377)
* [libfreerdp] Add new define for logon error info (#12380)
* [client,x11] improve rails window locking (#12392)
* Reload fix missing null checks (#12396)
* Bounds checks (#12400)
* [server,proxy] check for nullptr before using scard_call_context (#12404)
* [uwac] fix rectangular glitch around surface damage regions (#12410)
* Address various error handling inconsistencies (#12411)
* [core,server] Improve WTS API locking (#12414)
* Address some GCC compile issues (#12415, #12420)
* Winpr atexit (#12416)
* [winpr,smartcard] fix function pointer casts (#12422)
* Xf timer fix (#12423)
* [client,sdl] workaround for wlroots compositors (#12425)
* [client,sdl] fix SdlWindow::query (#12378)
* [winpr,smartcard] fix PCSC_ReleaseCardContext (#12427)
* [client,x11] eliminate obsolete compile flags (#12428)
* [client,common] skip sending input events when not connected (#12429)
* Input connected checks (#12430)
* Floatbar and display channel improvements (#12431)
* [winpr,platform] fix WINPR_ATTR_NODISCARD definition (#12432)
* [client] Fix writing of gatewayusagemethod to .rdp files (#12433)
* Nodiscard finetune (#12435)
* [core] fix missing gateway credential sync (#12436)
* [client,sdl3] limit FREERDP_WLROOTS_HACK (#12441)
* [core,settings] Allow FreeRDP_instance in setter (#12442)
* [codec,h264] make log message trace (#12444)
* X11 rails improve (#12440)
* [codec,nsc] limit copy area in nsc_process_message (#12448)
* Proxy support RFX and NSC settings (#12449)
* [client,common] display a shortened help on parsing issues (#12450)
* [winpr,smartcard] refine locking for pcsc layer (#12451)
* [codec,swscale] allow runtime loading of swscale (#12452)
* Swscale fallback (#12454)
* Sdl multi scaling support (#12456)
* [packaging,flatpak] update runtime and dependencies (#12457)
* [codec,video] add doxygen version details (#12458)
* [github,templates] update templates (#12460)
* [client,sdl] allow FREERDP_WLROOTS_HACK for all sessions (#12461)
* [warnings,nodiscard] add log messages for failures (#12463)
* [gdi,gdi] ignore empty rectangles (#12467)
* Smartcard fix smartcard-login, pass rdpContext for abort (#12466)
* [winpr,smartcard] fix compiler warnings (#12469)
* [winpr,timezone] fix search for transition dates (#12468)
* [client,common] improve /p help (#12471)
* Scard logging refactored (#12472)
* [emu,scard] fix smartcard emulation (#12475)
* Sdl null cursor (#12474)

- Version 3.23.0:
* Sdl cleanup (#12202)
* [client,sdl] do not apply window offset (#12205)
* [client,sdl] add SDL_Error to exceptions (#12214)
* Rdp monitor log (#12215)
* [winpr,smartcard] implement some attributes (#12213)
* [client,windows] Fix return value checks for mouse event functions (#12279)
* [channels,rdpecam] fix sws context checks (#12272)
* [client,windows] Enhance error handling and context validation (#12264)
* [client,windows] Add window handle validation in RDP_EVENT_TYPE_WINDOW_NEW (#12261)
* [client,sdl] fix multimon/fullscreen on wayland (#12248)
* Vendor by app (#12207)
* [core,gateway] relax TSG parsing (#12283)
* [winpr,smartcard] simplify PCSC_ReadDeviceSystemName (#12273)
* [client,windows] Implement complete keyboard indicator synchronization (#12268)
* Fixes more more more (#12286)
* Use application details for names (#12285)
* warning cleanups (#12289)
* Warning cleanup (#12291)
* [client,windows] Enhance memory safety with NULL checks and resource protection (#12271)
* [client,x11] apply /size:xx% only once (#12293)
* Freerdp config test (#12295)
* [winpr,smartcard] fix returned attribute length (#12296)
* [client,SDL3] Fix properly handle smart-sizing with fullscreen (#12298)
* [core,test] fix use after free (#12299)
* Sign warnings (#12300)
* [cmake,compiler] disable -Wjump-misses-init (#12301)
* [codec,color] fix input length checks (#12302)
* [client,sdl] improve cursor updates, fix surface sizes (#12303)
* Sdl fullscreen (#12217)
* [client,sdl] fix move constructor of SdlWindow (#12305)
* [utils,smartcard] check stream length on padding (#12306)
* [android] Fix invert scrolling default value mismatch (#12309)
* Clear fix bounds checks (#12310)
* Winpr attr nodiscard fkt ptr (#12311)
* [codec,planar] fix missing destination bounds checks (#12312)
* [codec,clear] fix destination checks (#12315)
* NSC Codec fixes (#12317)
* Freerdp api nodiscard (#12313)
* [allocations] fix growth of preallocated buffers (#12319)
* Rdpdr simplify (#12320)
* Resource fix (#12323)
* [winpr,utils] ensure message queue capacity (#12322)
* [server,shadow] fix return and parameter checks (#12330)
* Shadow fixes (#12331)
* [rdtk,nodiscard] mark rdtk API nodiscard (#12329)
* [client,x11] fix XGetWindowProperty return handling (#12334)
* Win32 signal (#12335)
* [channel,usb] fix message parsing and creation (#12336)
* [cmake] Define WINPR_DEFINE_ATTR_NODISCARD (#12338)
* Proxy config fix (#12345)
* [codec,progressive] refine progressive decoding (#12347)
* [client,sdl] fix sdl_Pointer_New (#12350)
* [core,gateway] parse [MS-TSGU] 2.2.10.5 HTTP_CHANNEL_RESPONSE_OPTIONAL (#12353)
* X11 kbd sym (#12354)
* Windows compile warning fixes (#12357,#12358,#12359)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

Plugin Details

Severity: Critical

ID: 312116

File Name: openSUSE-2026-20657-1.nasl

Version: 1.1

Type: Local

Agent: unix

Family: SuSE Local Security Checks

Published: 5/5/2026

Updated: 5/5/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-31883

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-31806

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:freerdp-devel, p-cpe:/a:novell:opensuse:libfreerdp-server-proxy3-3, p-cpe:/a:novell:opensuse:uwac0-devel, p-cpe:/a:novell:opensuse:freerdp-sdl, p-cpe:/a:novell:opensuse:freerdp-proxy-plugins, p-cpe:/a:novell:opensuse:libfreerdp3-3, p-cpe:/a:novell:opensuse:freerdp, p-cpe:/a:novell:opensuse:librdtk0-0, p-cpe:/a:novell:opensuse:libwinpr3-3, p-cpe:/a:novell:opensuse:freerdp-server, p-cpe:/a:novell:opensuse:freerdp-proxy, p-cpe:/a:novell:opensuse:freerdp-wayland, p-cpe:/a:novell:opensuse:winpr-devel, p-cpe:/a:novell:opensuse:rdtk0-devel, p-cpe:/a:novell:opensuse:libuwac0-0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/30/2026

Vulnerability Publication Date: 2/25/2026

Reference Information

CVE: CVE-2026-25941, CVE-2026-25942, CVE-2026-25952, CVE-2026-25953, CVE-2026-25954, CVE-2026-25955, CVE-2026-25959, CVE-2026-25997, CVE-2026-26271, CVE-2026-26955, CVE-2026-26965, CVE-2026-29774, CVE-2026-29775, CVE-2026-29776, CVE-2026-31806, CVE-2026-31883, CVE-2026-31884, CVE-2026-31885, CVE-2026-31897, CVE-2026-33952, CVE-2026-33977, CVE-2026-33982, CVE-2026-33983, CVE-2026-33984, CVE-2026-33985, CVE-2026-33986, CVE-2026-33987, CVE-2026-33995

IAVA: 2026-A-0257-S, 2026-A-0286

Detections

Analytics

openSUSE 16 Security Update : freerdp (openSUSE-SU-2026:20657-1)

critical Nessus Plugin ID 312116

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

VPR

CVSS v2

CVSS v3

CVSS v4

Vulnerability Information

Reference Information