Vulners
Lucene search
Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3239 (ALAS-2026-3239)
| Reporter | Title | Published | Views | Family All 338 |
|---|---|---|---|---|
 | CVE-2026-31884 | 13 Mar 202617:36 | – | attackerkb |
| CVE-2026-29775 | 13 Mar 202617:28 | – | attackerkb |
| CVE-2026-31897 | 13 Mar 202617:42 | – | attackerkb |
| CVE-2026-29774 | 13 Mar 202617:26 | – | attackerkb |
| CVE-2026-31883 | 13 Mar 202617:35 | – | attackerkb |
| CVE-2026-29776 | 13 Mar 202617:33 | – | attackerkb |
| CVE-2026-31885 | 13 Mar 202617:38 | – | attackerkb |
 | Amazon Linux 2023 : freerdp, freerdp-devel, freerdp-libs (ALAS2023-2026-1520) | 1 Apr 202600:00 | – | nessus |
| Alibaba Cloud Linux 3 : 0116: freerdp (ALINUX3-SA-2026:0116) | 25 May 202600:00 | – | nessus |
| AlmaLinux 10 : freerdp (ALSA-2026:16014) | 13 May 202600:00 | – | nessus |
10
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2026-3239.
##
include('compat.inc');
if (description)
{
script_id(306278);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/14");
script_cve_id(
"CVE-2026-29774",
"CVE-2026-29775",
"CVE-2026-29776",
"CVE-2026-31883",
"CVE-2026-31884",
"CVE-2026-31885",
"CVE-2026-31897"
);
script_xref(name:"IAVA", value:"2026-A-0286");
script_name(english:"Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3239 (ALAS-2026-3239)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of freerdp installed on the remote host is prior to 2.11.7-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2026-3239 advisory.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap
buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing
horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function
(line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against
the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using
rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface
buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry
where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream
decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint =
pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the
allocated heap region. This vulnerability is fixed in 3.24.0. (CVE-2026-29774)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-
of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in
bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells,
bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is
fixed in 3.24.0. (CVE-2026-29775)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in
update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0.
(CVE-2026-29776)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in
the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio
channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a
size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such
that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header
(4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an
astronomical number of iterations. This vulnerability is fixed in 3.24.0. (CVE-2026-31883)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-
ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both
ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The
nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not
validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE
(floating point exception) crash. This vulnerability is fixed in 3.24.0. (CVE-2026-31884)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-
bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input
data. This vulnerability is fixed in 3.24.0. (CVE-2026-31885)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-
bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which
points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL,
this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.
(CVE-2026-31897)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2026-3239.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-29774.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-29775.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-29776.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-31883.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-31884.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-31885.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-31897.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update freerdp' or
or 'yum update --advisory ALAS2-2026-3239' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-31883");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/03/13");
script_set_attribute(attribute:"patch_publication_date", value:"2026/04/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freerdp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freerdp-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freerdp-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freerdp-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libwinpr");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libwinpr-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'freerdp-2.11.7-1.amzn2.0.9', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-2.11.7-1.amzn2.0.9', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-2.11.7-1.amzn2.0.9', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-debuginfo-2.11.7-1.amzn2.0.9', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-debuginfo-2.11.7-1.amzn2.0.9', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-debuginfo-2.11.7-1.amzn2.0.9', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-devel-2.11.7-1.amzn2.0.9', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-devel-2.11.7-1.amzn2.0.9', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-devel-2.11.7-1.amzn2.0.9', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-libs-2.11.7-1.amzn2.0.9', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-libs-2.11.7-1.amzn2.0.9', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'freerdp-libs-2.11.7-1.amzn2.0.9', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libwinpr-2.11.7-1.amzn2.0.9', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libwinpr-2.11.7-1.amzn2.0.9', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libwinpr-2.11.7-1.amzn2.0.9', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libwinpr-devel-2.11.7-1.amzn2.0.9', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libwinpr-devel-2.11.7-1.amzn2.0.9', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libwinpr-devel-2.11.7-1.amzn2.0.9', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freerdp / freerdp-debuginfo / freerdp-devel / etc");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Apr 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.16.5 - 9.8
EPSS0.00103
SSVC