ELA-1483-1 freerdp2 security update

multiple vulnerabilities

2025-07-18

Package	freerdp2
Version	2.3.0+dfsg1-2+deb11u3~deb10u1 (buster)
Related CVEs	CVE-2022-24882 CVE-2022-39320 CVE-2024-22211 CVE-2024-32039 CVE-2024-32040 CVE-2024-32041 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460 CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661

Multiple vulnerabilities have been fixed in freerdp2, an implementation of the Remote Desktop Protocol.

CVE-2022-24882

Server side NTLM does not properly check parameters

CVE-2022-39320

Heap buffer overflow in urbdrc channel

CVE-2024-22211

Integer overflow in freerdp_bitmap_planar_context_reset

CVE-2024-32039

Integer overflow and Out of bounds write in clear_decompress_residual_data

CVE-2024-32040

Integer underflow in nsc_rle_decode

CVE-2024-32041

Out of bounds read in zgfx_decompress_segment

CVE-2024-32458

Out of bounds read in planar_skip_plane_rle

CVE-2024-32459

Out of bounds read in ncrush_decompress

CVE-2024-32460

Out of bounds read in interleaved_decompress

CVE-2024-32658

Out of bounds read in ExtractRunLengthRegular*

CVE-2024-32659

Out of bounds read in freerdp_image_copy

CVE-2024-32660

Out of memory in zgfx_decompress

CVE-2024-32661

NULL dereference in rdp_write_logon_info_v1

For Debian 10 buster, these problems have been fixed in version 2.3.0+dfsg1-2+deb11u3~deb10u1.

We recommend that you upgrade your freerdp2 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.