Out-of-bounds Write The advisory has been revoked - it doesn't affect any version of package libwinpr  (opens in a new tab)

The Red Hat security team deemed this advisory irrelevant for RHEL:10.

Note: Versions mentioned in the description apply only to the upstream libwinpr package and not the libwinpr package as distributed by RHEL.

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, planar_decompress_plane_rle() writes into pDstData at ((nYDst+y) * nDstStep) + (4*nXDst) + nChannel without verifying that (nYDst+nSrcHeight) fits in the destination height or that (nXDst+nSrcWidth) fits in the destination stride. When TempFormat != DstFormat, pDstData becomes planar->pTempData (sized for the desktop), while nYDst is only validated against the surface by is_within_surface(). A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent NSC_CONTEXT struct's decode function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (nsc->decode = 0xFF414141FF414141). Version 3.23.0 fixes the vulnerability.

• https://bugzilla.redhat.com/show_bug.cgi?id=2442959
• https://access.redhat.com/security/cve/CVE-2026-26965
• https://access.redhat.com/errata/RHSA-2026:5936
• https://access.redhat.com/errata/RHSA-2026:5939
• https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc
• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h