Detections
Analytics

Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3356 (ALAS-2026-3356)

high Nessus Plugin ID 322013

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of freerdp installed on the remote host is prior to 2.11.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3356 advisory.

 FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash. (CVE-2026-40033)

 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0. (CVE-2026-44420)

 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0. (CVE-2026-44421)

 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller- provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0.
 (CVE-2026-45700)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update freerdp' or or 'yum update --advisory ALAS2-2026-3356' to update your system.

See Also

https://alas.aws.amazon.com//AL2/ALAS2-2026-3356.html

https://alas.aws.amazon.com/faqs.html

https://explore.alas.aws.amazon.com/CVE-2026-40033.html

https://explore.alas.aws.amazon.com/CVE-2026-44420.html

https://explore.alas.aws.amazon.com/CVE-2026-44421.html

https://explore.alas.aws.amazon.com/CVE-2026-45700.html

Plugin Details

Severity: High

ID: 322013

File Name: al2_ALAS-2026-3356.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/22/2026

Updated: 6/22/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-45700

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.4

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-40033

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:libwinpr, p-cpe:/a:amazon:linux:freerdp-devel, p-cpe:/a:amazon:linux:libwinpr-devel, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:freerdp-libs, p-cpe:/a:amazon:linux:freerdp, p-cpe:/a:amazon:linux:freerdp-debuginfo

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/22/2026

Vulnerability Publication Date: 5/26/2026

Reference Information

CVE: CVE-2026-40033, CVE-2026-44420, CVE-2026-44421, CVE-2026-45700

IAVA: 2026-A-0602