ALAS2-2026-3221

Amazon Linux 2 Security Advisory: ALAS2-2026-3221
Advisory Released Date: 2026-04-01
Advisory Updated Date: 2026-04-01

Severity: Important

References: CVE-2026-25941 CVE-2026-25942 CVE-2026-25952 CVE-2026-25953 CVE-2026-25954 CVE-2026-25997 CVE-2026-26271 CVE-2026-26986 CVE-2026-27015 CVE-2026-27951 CVE-2026-31806
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue. (CVE-2026-25941)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0-6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue. (CVE-2026-25942)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. (CVE-2026-25952)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue. (CVE-2026-25953)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. (CVE-2026-25954)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue. (CVE-2026-25997)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue. (CVE-2026-26271)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability. (CVE-2026-26986)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a missing bounds check in `smartcard_unpack_read_size_align()` (`libfreerdp/utils/smartcard_pack.c:1703`) allows a malicious RDP server to crash the FreeRDP client via a reachable `WINPR_ASSERT` - `abort()`. The crash occurs in upstream builds where `WITH_VERBOSE_WINPR_ASSERT=ON` (default in FreeRDP 3.22.0 / current WinPR CMake defaults). Smartcard redirection must be explicitly enabled by the user (e.g., `xfreerdp /smartcard`; `/smartcard-logon` implies `/smartcard`). Version 3.23.0 fixes the issue. (CVE-2026-27015)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `Stream_EnsureCapacity` can create an endless blocking loop. This may affect all client and server implementations using `FreeRDP`. For practical exploitation this will only work on 32bit systems where the available physical memory is `>= SIZE_MAX`. Version 3.23.0 contains a patch. No known workarounds are available. (CVE-2026-27951)

A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The `gdi_surface_bits()` function, which processes `SURFACE_BITS_COMMAND` messages, does not properly validate image dimensions (`bmp.width` and `bmp.height`) provided by a malicious RDP server. This can lead to a heap buffer overflow during bitmap decoding and memory operations. A remote attacker could exploit this to overwrite adjacent memory, potentially resulting in arbitrary code execution. (CVE-2026-31806)

Affected Packages:

freerdp

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update freerdp or yum update --advisory ALAS2-2026-3221 to update your system.

New Packages:

aarch64:
    freerdp-2.11.7-1.amzn2.0.8.aarch64
    freerdp-libs-2.11.7-1.amzn2.0.8.aarch64
    freerdp-devel-2.11.7-1.amzn2.0.8.aarch64
    libwinpr-2.11.7-1.amzn2.0.8.aarch64
    libwinpr-devel-2.11.7-1.amzn2.0.8.aarch64
    freerdp-debuginfo-2.11.7-1.amzn2.0.8.aarch64

i686:
    freerdp-2.11.7-1.amzn2.0.8.i686
    freerdp-libs-2.11.7-1.amzn2.0.8.i686
    freerdp-devel-2.11.7-1.amzn2.0.8.i686
    libwinpr-2.11.7-1.amzn2.0.8.i686
    libwinpr-devel-2.11.7-1.amzn2.0.8.i686
    freerdp-debuginfo-2.11.7-1.amzn2.0.8.i686

src:
    freerdp-2.11.7-1.amzn2.0.8.src

x86_64:
    freerdp-2.11.7-1.amzn2.0.8.x86_64
    freerdp-libs-2.11.7-1.amzn2.0.8.x86_64
    freerdp-devel-2.11.7-1.amzn2.0.8.x86_64
    libwinpr-2.11.7-1.amzn2.0.8.x86_64
    libwinpr-devel-2.11.7-1.amzn2.0.8.x86_64
    freerdp-debuginfo-2.11.7-1.amzn2.0.8.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-25941, CVE-2026-25942, CVE-2026-25952, CVE-2026-25953, CVE-2026-25954, CVE-2026-25997, CVE-2026-26271, CVE-2026-26986, CVE-2026-27015, CVE-2026-27951, CVE-2026-31806

Mitre: CVE-2026-25941, CVE-2026-25942, CVE-2026-25952, CVE-2026-25953, CVE-2026-25954, CVE-2026-25997, CVE-2026-26271, CVE-2026-26986, CVE-2026-27015, CVE-2026-27951, CVE-2026-31806