Amazon Linux 2023 Security Advisory: ALAS2023-2026-1822
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
FAQs regarding Amazon Linux ALAS/CVE Severity
FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash. (CVE-2026-40033)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0. (CVE-2026-44420)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0. (CVE-2026-44421)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0. (CVE-2026-45700)
Affected Packages:
freerdp
Issue Correction:
Run dnf update freerdp --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1822 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
freerdp-libs-debuginfo-3.6.3-1.amzn2023.0.12.aarch64
libwinpr-debuginfo-3.6.3-1.amzn2023.0.12.aarch64
libwinpr-devel-3.6.3-1.amzn2023.0.12.aarch64
freerdp-debuginfo-3.6.3-1.amzn2023.0.12.aarch64
freerdp-server-3.6.3-1.amzn2023.0.12.aarch64
freerdp-server-debuginfo-3.6.3-1.amzn2023.0.12.aarch64
libwinpr-3.6.3-1.amzn2023.0.12.aarch64
freerdp-libs-3.6.3-1.amzn2023.0.12.aarch64
freerdp-3.6.3-1.amzn2023.0.12.aarch64
freerdp-devel-3.6.3-1.amzn2023.0.12.aarch64
freerdp-debugsource-3.6.3-1.amzn2023.0.12.aarch64
src:
freerdp-3.6.3-1.amzn2023.0.12.src
x86_64:
freerdp-libs-debuginfo-3.6.3-1.amzn2023.0.12.x86_64
libwinpr-debuginfo-3.6.3-1.amzn2023.0.12.x86_64
freerdp-server-debuginfo-3.6.3-1.amzn2023.0.12.x86_64
libwinpr-devel-3.6.3-1.amzn2023.0.12.x86_64
freerdp-debuginfo-3.6.3-1.amzn2023.0.12.x86_64
freerdp-server-3.6.3-1.amzn2023.0.12.x86_64
libwinpr-3.6.3-1.amzn2023.0.12.x86_64
freerdp-3.6.3-1.amzn2023.0.12.x86_64
freerdp-libs-3.6.3-1.amzn2023.0.12.x86_64
freerdp-devel-3.6.3-1.amzn2023.0.12.x86_64
freerdp-debugsource-3.6.3-1.amzn2023.0.12.x86_64