freerdp3 - Debian Package Tracker

general

source: freerdp3 (main)
version: 3.21.0+dfsg-1
maintainer: Debian Remote Maintainers (archive) (DMD)
uploaders: Mike Gabriel [DMD] – Michael Tokarev [DMD] – Bernhard Miklautz [DMD]
arch: any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 3.10.3+dfsg-1~bpo12+1
stable: 3.15.0+dfsg-2.1
testing: 3.20.0+dfsg-1
unstable: 3.21.0+dfsg-1

versioned links

3.10.3+dfsg-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.15.0+dfsg-2.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.20.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.20.2+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.21.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

freerdp3-dev
freerdp3-proxy
freerdp3-proxy-modules
freerdp3-sdl (1 bugs: 0, 0, 1, 0)
freerdp3-shadow-x11
freerdp3-wayland
freerdp3-x11 (1 bugs: 0, 1, 0, 0)
libfreerdp-client3-3
libfreerdp-server-proxy3-3
libfreerdp-server3-3
libfreerdp-shadow-subsystem3-3
libfreerdp-shadow3-3
libfreerdp3-3 (1 bugs: 0, 1, 0, 0)
libwinpr-tools3-3
libwinpr3-3
libwinpr3-dev
winpr3-utils

action needed

17 security issues in forky high

There are 17 open security issues in forky.

17 important issues:

CVE-2026-22851: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.
CVE-2026-22852: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
CVE-2026-22853: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
CVE-2026-22854: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
CVE-2026-22855: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1.
CVE-2026-22856: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
CVE-2026-22857: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
CVE-2026-22858: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
CVE-2026-22859: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1.
CVE-2026-23530: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23531: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23532: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23533: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23534: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23732: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
CVE-2026-23883: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23884: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Created: 2026-01-15 Last update: 2026-01-20 12:30

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-09-18 Last update: 2026-01-20 16:30

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-06 Last update: 2025-12-18 07:03

AppStream hints: 2 warnings for freerdp3-sdl,freerdp3-x11 normal

AppStream found metadata issues for packages:

freerdp3-sdl: 1 warning
freerdp3-x11: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2025-04-15 Last update: 2025-04-15 06:03

17 low-priority security issues in trixie low

There are 17 open security issues in trixie.

17 issues left for the package maintainer to handle:

CVE-2026-22851: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.
CVE-2026-22852: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
CVE-2026-22853: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
CVE-2026-22854: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
CVE-2026-22855: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1.
CVE-2026-22856: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
CVE-2026-22857: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
CVE-2026-22858: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
CVE-2026-22859: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1.
CVE-2026-23530: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23531: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23532: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23533: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23534: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23732: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
CVE-2026-23883: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVE-2026-23884: (needs triaging) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-01-15 Last update: 2026-01-20 12:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-01-20 07:18

testing migrations

This package will soon be part of the auto-icu transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for freerdp3 (3.20.0+dfsg-1 to 3.21.0+dfsg-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for freerdp3/3.21.0+dfsg-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass
- ∙ ∙ Autopkgtest for gnome-remote-desktop/49.2-2: amd64: Regression ♻ (reference ♻), arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Test triggered, riscv64: Pass
- ∙ ∙ Autopkgtest for medusa/2.3-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass
- ∙ ∙ Autopkgtest for weston/14.0.2-5: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass
- ∙ ∙ Missing build on s390x
- ∙ ∙ Autopkgtest deferred on s390x: missing arch:s390x build
- ∙ ∙ Lintian check waiting for test results - info
- ∙ ∙ Too young, only 0 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/f/freerdp3.html
- ∙ ∙ Waiting for reproducibility test results on amd64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on arm64 - info ♻
- Not considered

news

[rss feed]

[2026-01-19] Accepted freerdp3 3.21.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2026-01-14] Accepted freerdp3 3.20.2+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-12-20] freerdp3 3.20.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-12-18] Accepted freerdp3 3.20.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-12-16] freerdp3 3.19.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-12-12] Accepted freerdp3 3.19.1+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-12-08] freerdp3 3.19.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-12-05] Accepted freerdp3 3.19.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-11-18] freerdp3 3.18.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-11-15] Accepted freerdp3 3.18.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-09-25] freerdp3 3.17.2+dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-09-25] freerdp3 3.17.2+dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-09-23] Accepted freerdp3 3.17.2+dfsg-3 (source) into unstable (Michael Tokarev)
[2025-09-19] Accepted freerdp3 3.17.2+dfsg-2 (source) into unstable (Michael Tokarev)
[2025-09-19] Accepted freerdp3 3.17.2+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-09-10] freerdp3 3.17.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-09-06] Accepted freerdp3 3.17.1+dfsg-2 (source) into unstable (Michael Tokarev)
[2025-09-01] Accepted freerdp3 3.17.1+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-08-25] freerdp3 3.17.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-08-22] Accepted freerdp3 3.17.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-08-13] freerdp3 3.16.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-07-14] Accepted freerdp3 3.16.0+dfsg-2 (source) into unstable (Michael Tokarev)
[2025-06-25] Accepted freerdp3 3.16.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-05-28] freerdp3 3.15.0+dfsg-2.1 MIGRATED to testing (Debian testing watch)
[2025-05-26] Accepted freerdp3 3.15.0+dfsg-2.1 (source) into unstable (Daniel Baumann)
[2025-05-05] freerdp3 3.15.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-04-25] Accepted freerdp3 3.15.0+dfsg-2 (source) into unstable (Michael Tokarev)
[2025-04-25] freerdp3 3.15.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-04-14] Accepted freerdp3 3.15.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2025-04-12] freerdp3 3.14.1+dfsg-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 1

links

homepage
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.20.2+dfsg-1
1 bug