Marc-Andre Moreau

57 exploits Active since Aug 2023
CVE-2026-25953 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail Window Handling
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-25954 WRITEUP HIGH WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail_server_local_move_size
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
CVSS 7.5
CVE-2026-25955 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_AppUpdateWindowFromSurface
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-26986 WRITEUP HIGH WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail_window_common
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
CVSS 7.5
CVE-2026-25942 WRITEUP HIGH WRITEUP
FreeRDP <3.23.0 - Memory Corruption
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
CVSS 7.5
CVE-2026-25952 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_SetWindowMinMaxInfo
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-25953 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail Window Handling
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-25954 WRITEUP HIGH WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail_server_local_move_size
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
CVSS 7.5
CVE-2026-25955 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_AppUpdateWindowFromSurface
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-26986 WRITEUP HIGH WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail_window_common
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
CVSS 7.5
CVE-2026-25942 WRITEUP HIGH WRITEUP
FreeRDP <3.23.0 - Memory Corruption
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
CVSS 7.5
CVE-2026-25952 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_SetWindowMinMaxInfo
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-25953 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail Window Handling
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-25954 WRITEUP HIGH WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail_server_local_move_size
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
CVSS 7.5
CVE-2026-25955 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_AppUpdateWindowFromSurface
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.
CVSS 9.8
CVE-2026-26986 WRITEUP HIGH WRITEUP
FreeRDP < 3.23.0 - Use-After-Free in xf_rail_window_common
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
CVSS 7.5
CVE-2023-39352 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.11.0 - Out-of-Bounds Write via Invalid Offset Validation
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and `surface->height`. eg. `rect->left` == `surface->width` && `rect->top` == `surface->height`. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 5.3
CVE-2023-39356 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.11.0 - Out-of-Bounds Read in gdi_multi_opaque_rect
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 5.3
CVE-2023-40181 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.11.0 - Integer Underflow in zgfx_decompress_segment
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx_decompress_segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 5.3
CVE-2023-40186 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.11.0 - Integer Overflow to Out-of-Bounds Write in gdi_CreateSurface
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function. This issue affects FreeRDP based clients only. FreeRDP proxies are not affected as image decoding is not done by a proxy. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 6.5
CVE-2023-40567 WRITEUP MEDIUM WRITEUP
FreeRDP <2.11.0, <3.0.0-beta3 - Memory Corruption
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.
CVSS 6.5
CVE-2023-40569 WRITEUP MEDIUM WRITEUP
FreeRDP <2.11.0, <3.0.0-beta3 - Buffer Overflow
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `progressive_decompress` function. This issue is likely down to incorrect calculations of the `nXSrc` and `nYSrc` variables. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.
CVSS 6.5
CVE-2023-40574 WRITEUP MEDIUM WRITEUP
FreeRDP <3.0.0-beta3 - Buffer Overflow
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `writePixelBGRX` function. This issue is likely down to incorrect calculations of the `nHeight` and `srcStep` variables. This issue has been addressed in version 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 6.5
CVE-2023-40575 WRITEUP MEDIUM WRITEUP
FreeRDP <3.0.0-beta3 - Memory Corruption
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `general_YUV444ToRGB_8u_P3AC4R_BGRX` function. This issue is likely down to insufficient data for the `pSrc` variable and results in crashes. This issue has been addressed in version 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 5.3
CVE-2026-23530 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.21.0 - Heap-based Buffer Overflow in Planar Bitmap Decompression
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS 9.8