Bug 2429649 (CVE-2026-22858) - CVE-2026-22858 freerdp: FreeRDP global-buffer-overflow
Summary: CVE-2026-22858 freerdp: FreeRDP global-buffer-overflow
Keywords:
Status: NEW
Alias: CVE-2026-22858
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2429801 2429809 2429823 2429805 2429816
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-14 18:01 UTC by OSIDB Bzimport
Modified: 2026-03-12 14:28 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:3067 0 None None None 2026-02-23 10:46:25 UTC
Red Hat Product Errata RHSA-2026:3068 0 None None None 2026-02-23 10:10:07 UTC
Red Hat Product Errata RHSA-2026:3334 0 None None None 2026-02-25 11:15:36 UTC
Red Hat Product Errata RHSA-2026:3975 0 None None None 2026-03-09 02:00:42 UTC
Red Hat Product Errata RHSA-2026:4121 0 None None None 2026-03-09 18:01:15 UTC
Red Hat Product Errata RHSA-2026:4433 0 None None None 2026-03-12 08:22:09 UTC
Red Hat Product Errata RHSA-2026:4437 0 None None None 2026-03-12 08:29:00 UTC
Red Hat Product Errata RHSA-2026:4438 0 None None None 2026-03-12 08:55:45 UTC
Red Hat Product Errata RHSA-2026:4439 0 None None None 2026-03-12 08:49:43 UTC
Red Hat Product Errata RHSA-2026:4440 0 None None None 2026-03-12 09:06:46 UTC
Red Hat Product Errata RHSA-2026:4446 0 None None None 2026-03-12 09:11:20 UTC
Red Hat Product Errata RHSA-2026:4471 0 None None None 2026-03-12 13:27:08 UTC
Red Hat Product Errata RHSA-2026:4489 0 None None None 2026-03-12 14:28:30 UTC

Description OSIDB Bzimport 2026-01-14 18:01:38 UTC 
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
Comment 2 errata-xmlrpc 2026-02-23 10:10:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:3068 https://access.redhat.com/errata/RHSA-2026:3068
Comment 3 errata-xmlrpc 2026-02-23 10:46:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:3067 https://access.redhat.com/errata/RHSA-2026:3067
Comment 4 errata-xmlrpc 2026-02-25 11:15:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3334 https://access.redhat.com/errata/RHSA-2026:3334
Comment 5 errata-xmlrpc 2026-03-09 02:00:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:3975 https://access.redhat.com/errata/RHSA-2026:3975
Comment 6 errata-xmlrpc 2026-03-09 18:01:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:4121 https://access.redhat.com/errata/RHSA-2026:4121
Comment 7 errata-xmlrpc 2026-03-12 08:22:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:4433 https://access.redhat.com/errata/RHSA-2026:4433
Comment 8 errata-xmlrpc 2026-03-12 08:28:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:4437 https://access.redhat.com/errata/RHSA-2026:4437
Comment 9 errata-xmlrpc 2026-03-12 08:49:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:4439 https://access.redhat.com/errata/RHSA-2026:4439
Comment 10 errata-xmlrpc 2026-03-12 08:55:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:4438 https://access.redhat.com/errata/RHSA-2026:4438
Comment 11 errata-xmlrpc 2026-03-12 09:06:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:4440 https://access.redhat.com/errata/RHSA-2026:4440
Comment 12 errata-xmlrpc 2026-03-12 09:11:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:4446 https://access.redhat.com/errata/RHSA-2026:4446
Comment 13 errata-xmlrpc 2026-03-12 13:27:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:4471 https://access.redhat.com/errata/RHSA-2026:4471
Comment 14 errata-xmlrpc 2026-03-12 14:28:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:4489 https://access.redhat.com/errata/RHSA-2026:4489
Note You need to log in before you can comment on or make changes to this bug.