Nixpkgs security tracker

Published

Permalink CVE-2026-23530

updated 4 months ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@mweinelt accepted 4 months, 1 week ago
@LeSuisse deleted maintainer @peterhoeg 4 months ago maintainer.delete
@LeSuisse published on GitHub 4 months ago

FreeRDP has heap-buffer-overflow in planar_decompress_plane_rle

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

Ignored maintainers (1)

@peterhoeg Peter Hoeg <peter@hoeg.com>

Fixed in https://github.com/NixOS/nixpkgs/pull/481912 and https://github.com/NixOS/nixpkgs/pull/481941

Published

Permalink CVE-2026-23534

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

FreeRDP has heap-buffer-overflow in clear_decompress_bands_data

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599 x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599

Published

Permalink CVE-2026-23532

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

FreeRDP has heap-buffer-overflow in gdi_SurfaceToSurface

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr

Published

Permalink CVE-2026-23883

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

Heap-use-after-free in update_pointer_new

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L312-L319 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L340 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/pointer.c#L164-L174 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x

Published

Permalink CVE-2026-23732

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

FreeRDP has heap-buffer-overflow in Glyph_Alloc

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp x_refsource_CONFIRMexploit
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp

Published

Permalink CVE-2026-23533

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

FreeRDP has heap-buffer-overflow in clear_decompress_residual_data

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v

Published

Permalink CVE-2026-23884

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

Heap-use-after-free in gdi_set_bounds

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp

Published

Permalink CVE-2026-23531

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

FreeRDP has heap-buffer-overflow in clear_decompress

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5 x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 x_refsource_MISC

Affected products

FreeRDP

==< 3.21.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5

Published

Permalink CVE-2026-22854

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse deleted maintainer @peterhoeg 4 months, 1 week ago maintainer.delete
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

FreeRDP has a heap-buffer-overflow in drive_process_irp_read

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 x_refsource_MISC

Affected products

FreeRDP

==< 3.20.1

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

Ignored maintainers (1)

@peterhoeg Peter Hoeg <peter@hoeg.com>

Published

Permalink CVE-2026-22857

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 1 week ago
@LeSuisse accepted 4 months, 1 week ago
@LeSuisse published on GitHub 4 months, 1 week ago

FreeRDP has a heap-use-after-free in irp_thread_func

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8 x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 x_refsource_MISC

Affected products

FreeRDP

==< 3.20.1

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.17.2
- nixpkgs-unstable 3.17.2
- nixos-unstable-small 3.17.2

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers