Amazon Linux 2023 Security Advisory: ALAS2023-2026-1512
Advisory Released Date: 2026-04-01
Advisory Updated Date: 2026-04-01
FAQs regarding Amazon Linux ALAS/CVE Severity
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue. (CVE-2026-25941)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0-6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue. (CVE-2026-25942)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. (CVE-2026-25952)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue. (CVE-2026-25953)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. (CVE-2026-25954)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue. (CVE-2026-25955)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` - `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue. (CVE-2026-25959)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue. (CVE-2026-25997)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue. (CVE-2026-26271)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability. (CVE-2026-26986)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` - `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue. (CVE-2026-27015)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0. (CVE-2026-27950)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available. (CVE-2026-27951)
A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The `gdi_surface_bits()` function, which processes `SURFACE_BITS_COMMAND` messages, does not properly validate image dimensions (`bmp.width` and `bmp.height`) provided by a malicious RDP server. This can lead to a heap buffer overflow during bitmap decoding and memory operations. A remote attacker could exploit this to overwrite adjacent memory, potentially resulting in arbitrary code execution. (CVE-2026-31806)
Affected Packages:
freerdp
Issue Correction:
Run dnf update freerdp --releasever 2023.10.20260330 or dnf update --advisory ALAS2023-2026-1512 --releasever 2023.10.20260330 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
freerdp-server-debuginfo-3.6.3-1.amzn2023.0.7.aarch64
freerdp-debuginfo-3.6.3-1.amzn2023.0.7.aarch64
freerdp-libs-debuginfo-3.6.3-1.amzn2023.0.7.aarch64
libwinpr-debuginfo-3.6.3-1.amzn2023.0.7.aarch64
libwinpr-devel-3.6.3-1.amzn2023.0.7.aarch64
freerdp-libs-3.6.3-1.amzn2023.0.7.aarch64
freerdp-server-3.6.3-1.amzn2023.0.7.aarch64
freerdp-3.6.3-1.amzn2023.0.7.aarch64
libwinpr-3.6.3-1.amzn2023.0.7.aarch64
freerdp-devel-3.6.3-1.amzn2023.0.7.aarch64
freerdp-debugsource-3.6.3-1.amzn2023.0.7.aarch64
src:
freerdp-3.6.3-1.amzn2023.0.7.src
x86_64:
freerdp-libs-debuginfo-3.6.3-1.amzn2023.0.7.x86_64
freerdp-server-debuginfo-3.6.3-1.amzn2023.0.7.x86_64
freerdp-debuginfo-3.6.3-1.amzn2023.0.7.x86_64
freerdp-3.6.3-1.amzn2023.0.7.x86_64
libwinpr-debuginfo-3.6.3-1.amzn2023.0.7.x86_64
freerdp-server-3.6.3-1.amzn2023.0.7.x86_64
libwinpr-devel-3.6.3-1.amzn2023.0.7.x86_64
libwinpr-3.6.3-1.amzn2023.0.7.x86_64
freerdp-libs-3.6.3-1.amzn2023.0.7.x86_64
freerdp-devel-3.6.3-1.amzn2023.0.7.x86_64
freerdp-debugsource-3.6.3-1.amzn2023.0.7.x86_64