ALAS2-2026-3239

Amazon Linux 2 Security Advisory: ALAS2-2026-3239
Advisory Released Date: 2026-04-14
Advisory Updated Date: 2026-04-14

Severity: Medium

References: CVE-2026-29774 CVE-2026-29775 CVE-2026-29776 CVE-2026-31883 CVE-2026-31884 CVE-2026-31885 CVE-2026-31897
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the clamp() function (line 347) only validates top/bottom against the surface/YUV height, but never checks left/right against the surface width. When avc420_yuv_to_rgb (line 67) computes destination and source pointers using rect->left, it performs unchecked pointer arithmetic that can reach far beyond the allocated surface buffer. A malicious server sends a WIRE_TO_SURFACE_PDU_1 with AVC420 codec containing a regionRects entry where left greatly exceeds the surface width (e.g., left=60000 on a 128px surface). The H.264 bitstream decodes successfully, then yuv420_process_work_callback calls avc420_yuv_to_rgb which computes pDstPoint = pDstData + rect->top * nDstStep + rect->left * 4, writing 16-byte SSE vectors 1888+ bytes past the allocated heap region. This vulnerability is fixed in 3.24.0. (CVE-2026-29774)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0. (CVE-2026-29775)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in update_read_cache_bitmap_order Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0. (CVE-2026-29776)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0. (CVE-2026-31883)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0. (CVE-2026-31884)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0. (CVE-2026-31885)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0. (CVE-2026-31897)

Affected Packages:

freerdp

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update freerdp or yum update --advisory ALAS2-2026-3239 to update your system.

New Packages:

aarch64:
    freerdp-2.11.7-1.amzn2.0.9.aarch64
    freerdp-libs-2.11.7-1.amzn2.0.9.aarch64
    freerdp-devel-2.11.7-1.amzn2.0.9.aarch64
    libwinpr-2.11.7-1.amzn2.0.9.aarch64
    libwinpr-devel-2.11.7-1.amzn2.0.9.aarch64
    freerdp-debuginfo-2.11.7-1.amzn2.0.9.aarch64

i686:
    freerdp-2.11.7-1.amzn2.0.9.i686
    freerdp-libs-2.11.7-1.amzn2.0.9.i686
    freerdp-devel-2.11.7-1.amzn2.0.9.i686
    libwinpr-2.11.7-1.amzn2.0.9.i686
    libwinpr-devel-2.11.7-1.amzn2.0.9.i686
    freerdp-debuginfo-2.11.7-1.amzn2.0.9.i686

src:
    freerdp-2.11.7-1.amzn2.0.9.src

x86_64:
    freerdp-2.11.7-1.amzn2.0.9.x86_64
    freerdp-libs-2.11.7-1.amzn2.0.9.x86_64
    freerdp-devel-2.11.7-1.amzn2.0.9.x86_64
    libwinpr-2.11.7-1.amzn2.0.9.x86_64
    libwinpr-devel-2.11.7-1.amzn2.0.9.x86_64
    freerdp-debuginfo-2.11.7-1.amzn2.0.9.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-29774, CVE-2026-29775, CVE-2026-29776, CVE-2026-31883, CVE-2026-31884, CVE-2026-31885, CVE-2026-31897

Mitre: CVE-2026-29774, CVE-2026-29775, CVE-2026-29776, CVE-2026-31883, CVE-2026-31884, CVE-2026-31885, CVE-2026-31897