Bug 2430888 (CVE-2026-23534)

Summary: CVE-2026-23534 freerdp: FreeRDP: Arbitrary code execution and denial of service via client-side heap buffer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol. A malicious server can trigger a client-side heap buffer overflow in the ClearCodec bands decode path. This vulnerability, caused by crafted band coordinates, allows writes past the end of the destination surface buffer. Successful exploitation can lead to a crash, resulting in a denial of service (DoS), and potentially arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2430899, 2430901, 2430903, 2430900, 2430902    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-19 18:02:22 UTC 
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Comment 2 errata-xmlrpc 2026-02-05 10:19:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2048 https://access.redhat.com/errata/RHSA-2026:2048
Comment 3 errata-xmlrpc 2026-02-05 11:43:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2081 https://access.redhat.com/errata/RHSA-2026:2081
Comment 4 errata-xmlrpc 2026-02-09 01:33:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:2222 https://access.redhat.com/errata/RHSA-2026:2222
Comment 5 errata-xmlrpc 2026-02-16 13:05:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2736 https://access.redhat.com/errata/RHSA-2026:2736
Comment 6 errata-xmlrpc 2026-02-18 14:30:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2952 https://access.redhat.com/errata/RHSA-2026:2952
Comment 7 errata-xmlrpc 2026-02-23 01:50:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:3037 https://access.redhat.com/errata/RHSA-2026:3037