Detections
Analytics

SUSE SLES16: freerdp / freerdp-devel / freerdp-proxy / freerdp-proxy-plugins / etc (SUSE-SU-2026:22194-1)

high Nessus Plugin ID 323073

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES16 / SLES_SAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:22194-1 advisory.

 This update for freerdp fixes the following issues

 Update to version 3.26.0:

 - CVE-2026-33982: heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_recalloc() (bsc#1261222).
 - CVE-2026-33985: FreeRDP: Information disclosure via heap memory out of bounds read (bsc#1261217).
 - CVE-2026-33986: heap OOB write due to H.264 YUV buffer dimension desync (bsc#1261223).
 - CVE-2026-33987: heap OOB write due to persistent cache bmpSize desync (bsc#1261226).
 - CVE-2026-33995: double-free vulnerability in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() (bsc#1261227).
 - CVE-2026-40033: heap buffer overflow in `gdi_CacheToSurface` allows attackers to cause a denial of service or achieve remote execute code (bsc#1266317).
 - CVE-2026-40254: off-by-one in contains_dotdot() allows drive channel path traversal (bsc#1262743).
 - CVE-2026-44420: Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server- side clipboard (cliprdr) channel (bsc#1267008).
 - CVE-2026-44421: Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs (bsc#1267009).
 - CVE-2026-44422: Prior to 3.26.0, a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path exists (bsc#1267010).
 - CVE-2026-45700: n attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData (bsc#1267011).

 Changes:

 * cmake: Findyuv: Use correct pkgconfig name (#12666)
 * Remove deallocator attribute from rfx_message_free (#12681)
 * [winpr,utils] improve winpr/ntlm.h (#12677)
 * rdpecam-v4l: stop the capture thread when streaming is cleared (#12690)
 * fix(winpr,ncrypt): support PIV retired key slots for smartcard logon (#12684)
 * [core,instance] fix deprecation guards (#12691)
 * [ci,alt-arch] enable internal MD4, MD5 and RC4 (#12692)
 * Add VideoToolbox H.264 support for ffmpeg (#12694)
 * [client,common] add /args-from:file: syntax (#12697)
 * [ci,freebsd] update freebsd builds (#12698, #12700, #12701, #12702)
 * [client, android] UI modernization, SQLCipher and more (#12685, #12686, #12687, #12730,
 * #12731, #12736, #12737, #12688)
 * [cmake,deps] use alias target for sso-mib (#12706)
 * [core,settings] add auto reconnect triggered flag (#12709)
 * Force YUV420P when videotoolbox is used (#12711)
 * Release cleanups (#12712)
 * [gdi,gfx] fix bounds checks and proxy unit tests (#12713)
 * Improved input checks (#12714)
 * [winpr,utils] add unit tests for command line parser (#12716)
 * Cmdline fixes (#12717)
 * [codec,planar] fix bounds checks (#12718)
 * [client,common] add freerdp_client_settings_parse_command_line_argume... (#12724)
 * [winpr,sspi] clean up ntlm code (#12732)
 * Experimental AV1 support has been added. This currently works only with FreeRDP based servers.
 * Most notably there is now support for [MS-RDPEWA] (FIDO2 redirection)
 * Android client received a (small) facelift
 * Improved SDL3 client drawing performance
 * Console output support for SDL3 (windows) and windows native client
 * RDP proxy now supports NSCodec and RFX modes.
 * RDP PRoxy now has smartcard emulation and SAM file support (via config file)
 * Smartcard KSP support for NLA authentication
 * [winpr,wlog] add WLog_SetGlobalPrefix (#12497)
 * [channels,video] fix wrong cast (#12511)
 * [codec,openh264] reject encoder ABI mismatch on runtime-loaded library (#12510)
 * [client,sdl] create a copy of rdpPointer (#12512)
 * [codec,video] properly pass intermediate format (#12518)
 * [utils, signal] lazily initialize Windows CRITICAL_SECTION to match POSIX static mutex behavior (#12520)
 * winpr: improve libunwind backtraces (#12530)
 * [server,shadow] remember selected caps (#12528)
 * Zero credential data before free in NLA and NTLM context (#12532)
 * [server,proxy] ignore missing client in input channel (#12536)
 * [server,proxy] ignore rdpdr messages (#12537)
 * [winpr,sspi] improve kerberos logging (#12538)
 * Codec fixes (#12542)
 * [winpr,sspi] Fix context nullptr handling (#12543)
 * Dev 3.24.3 dev0 (#12545)
 * Fix memory leak in gdi_create_bitmap() on gdi_CreateBitmap failure (libfreerdp/gdi/graphics.c) (#12547)
 * Fix memory leak in vgids_read_do_fkt() on Stream_New failure (libfreerdp/emu/scard/smartcard_virtual_gids.c) (#12548)
 * Proxy config improve (#12549)
 * Proxy config improve (#12550)
 * [client,sdl] clamp cursor hotspot (#12553)
 * RFC: Research/av1 codec extension (#12527)
 * [winpr,kerberos] fix krb_log_context_encryption (#12555)
 * [client,sdl] fix global init return check (#12558)
 * Fix remote credential with windows11h2 (#12560)
 * Proxy scard auth improvements (#12561)
 * [winpr,sspi] guard krb5_get_etype_info (#12562)
 * [utils,smartcard] fix STATUS_BUFFER_TOO_SMALL (#12564)
 * [client,common] do not manipulate security settings for smartcard-logon (#12567)
 * [channels,audin] fix regression for microphone (#12570)
 * [client,sdl] add SDL_KMOD_MODE and SDL_KMOD_LEVEL5 (#12569)
 * Fix unbound strlen on slotDescription (#12571)
 * build: Update FindFFmpeg.cmake to support Apple frameworks with 'lib' prefix (#12565)
 * [channels,rdpewa] add WebAuthn virtual channel support (#12572)
 * [core] fix freerdp_get_nla_sspi_error always returning 0 on client (#12574)
 * [ci] enable rdpewa channel (#12576)
 * small refactoring (#12578)
 * Rdpewa unify notifications (#12581)
 * [client,sdl] fix crash when clicking 'cancel' on PIN popup (#12580)
 * [channels,drive] refine bounds checks (#12584)
 * fix: smartcard logon with ECC keys and minidriver-assigned container names (#12585)
 * Various papercuts (#12583)
 * fix: console output on Windows client (#12573)
 * [winpr,crt] dump stack on aligned memory errors (#12588)
 * [client,x11] keep scancode input for Ctrl/Alt/Super combinations in /kbd:unicode mode (#12590)
 * [codec,progressive] fix underflow guard in progressive_rfx_quant_sub (#12592)
 * fix: wfreerdp floatbar visibility (#12594)
 * [winpr,json] return a copy from WINPR_JSON_Print* (#12595)
 * [client,sdl] drop WITH_DEBUG_SDL_EVENTS (#12599)
 * Ncrypt and asn1 cleanup (#12604)
 * Video channel fix (#12593)
 * [codec,h264] fix media foundation backend (#12606)
 * fix(sdl): detect Hyprland and river in tryFallback() (#12608)
 * Proxy stress fixes (#12597)
 * Add new fuzzer tests (#12613)
 * fix(sdl): use SDL_Renderer instead of software surfaces (#12607)
 * fix(sdl): BFS neighbor walk pop/begin mismatch in addOrUpdateDisplay (#12614)
 * fix(sdl): promote first monitor as primary when subset excludes primary (#12618)
 * [ci,android] default to only aarch64 (#12622)
 * Fix process exit code on non-pidfd platforms (macOS, BSD)#12534) (#12586)
 * warning cleanups (#12626)
 * fix: prevent PostQuitMessage in RemoteApp WM_DESTROY handler (#12629)
 * [winpr,ntlm] fix message cleanup across the SSPI lifecycle (#12609)
 * Code bug fixes (#12632)
 * Oss fixes (#12633)
 * [client,android] add an option to enable keeping screen on when connected (#12630)
 * [client, android] Fix layout overlaps, migrate to AndroidX, and update UI components (#12628)
 * Proxy config tests (#12636)
 * Proxy config optional targethost (#12637)
 * [client,sdl] set SDL_HINT_SCREENSAVER_INHIBIT_ACTIVITY_NAME (#12639)
 * Nightly deb fix (#12640, #12641, #12649, #12650, #12642, #12643)
 * [winpr,input] fix korean keyboard mapping (#12646)
 * [client,sdl] set hints before SDL_Init (#12644)
 * Sdl inhibit option (#12647)
 * [client,X11] fix residual race in xf_clipboard_formats_free (#12648)
 * (sdl3): Fix oversized window on HiDPI Wayland (#12635)
 * [cache,bitmap] fix off-by-one in bitmap_cache_put bounds check (#12651)
 * [winpr,sspi] free fields buffer immediately (#12654)
 * [codec,dsp] fix fencepost error in dsp_ima_clamp_step (#12655)
 * RDPECAM MJPEG support
 * Support for FDK-AAC for sound and microphone redirection
 * Support timezones as JSON resources
 * Rely preferably on pkgconfig to pull devel packages instead of
 * A new option /cert that unifies all certificate related options (gh#FreeRDP/FreeRDP#5880)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1174200

https://bugzilla.suse.com/1261217

https://bugzilla.suse.com/1261222

https://bugzilla.suse.com/1261223

https://bugzilla.suse.com/1261226

https://bugzilla.suse.com/1261227

https://bugzilla.suse.com/1262743

https://bugzilla.suse.com/1266317

https://bugzilla.suse.com/1267008

https://bugzilla.suse.com/1267009

https://bugzilla.suse.com/1267010

https://bugzilla.suse.com/1267011

https://lists.suse.com/pipermail/sle-updates/2026-June/047514.html

https://www.suse.com/security/cve/CVE-2026-33982

https://www.suse.com/security/cve/CVE-2026-33985

https://www.suse.com/security/cve/CVE-2026-33986

https://www.suse.com/security/cve/CVE-2026-33987

https://www.suse.com/security/cve/CVE-2026-33995

https://www.suse.com/security/cve/CVE-2026-40033

https://www.suse.com/security/cve/CVE-2026-40254

https://www.suse.com/security/cve/CVE-2026-44420

https://www.suse.com/security/cve/CVE-2026-44421

https://www.suse.com/security/cve/CVE-2026-44422

https://www.suse.com/security/cve/CVE-2026-45700

Plugin Details

Severity: High

ID: 323073

File Name: suse_SU-2026-22194-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/26/2026

Updated: 6/26/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-45700

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.4

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-40033

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:freerdp, p-cpe:/a:novell:suse_linux:freerdp-proxy-plugins, p-cpe:/a:novell:suse_linux:freerdp-devel, p-cpe:/a:novell:suse_linux:libwinpr3-3, p-cpe:/a:novell:suse_linux:winpr-devel, p-cpe:/a:novell:suse_linux:freerdp-wayland, p-cpe:/a:novell:suse_linux:freerdp-server, p-cpe:/a:novell:suse_linux:freerdp-sdl, p-cpe:/a:novell:suse_linux:librdtk0-0, cpe:/o:novell:suse_linux:16, p-cpe:/a:novell:suse_linux:libfreerdp-server-proxy3-3, p-cpe:/a:novell:suse_linux:libuwac0-0, p-cpe:/a:novell:suse_linux:freerdp-proxy, p-cpe:/a:novell:suse_linux:libfreerdp3-3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/20/2026

Vulnerability Publication Date: 3/26/2026

Reference Information

CVE: CVE-2026-33982, CVE-2026-33985, CVE-2026-33986, CVE-2026-33987, CVE-2026-33995, CVE-2026-40033, CVE-2026-40254, CVE-2026-44420, CVE-2026-44421, CVE-2026-44422, CVE-2026-45700

IAVA: 2026-A-0286-S, 2026-A-0602

SuSE: SUSE-SU-2026:22194-1