FreeRDP, an open-source RDP client implementation, has multiple security vulnerabilities including denial of service via use-after-free (CVE-2026-25952), double free during disconnect (CVE-2026-26986), endless blocking loop (CVE-2026-27951), heap-buffer-overflow via out-of-bounds cacheId (CVE-2026-29775), out-of-bounds read in ADPCM decoders due to missing bounds checks (CVE-2026-31885), division-by-zero in ADPCM decoders when nBlockAlign is zero (CVE-2026-31884), denial of service via crafted audio data (CVE-2026-31883), and information disclosure via heap memory out-of-bounds read (CVE-2026-33985). These vulnerabilities affect Red Hat Enterprise Linux 8 and related packages. Red Hat has released updated packages to fix these issues as detailed in advisory RHSA-2026:16019.

The vulnerabilities can lead to denial of service conditions through memory corruption and logic errors, potentially causing the FreeRDP client to crash or become unresponsive. One vulnerability allows information disclosure via out-of-bounds heap memory reads. These issues could disrupt remote desktop sessions or leak sensitive memory contents. No known exploits in the wild have been reported. The overall impact is considered moderate by Red Hat.

Red Hat has released updated packages for FreeRDP in Red Hat Enterprise Linux 8 to address all identified vulnerabilities. Users should apply these official security updates as soon as possible. Detailed instructions for applying the update are available in Red Hat advisory RHSA-2026:16019 and the referenced article https://access.redhat.com/articles/11258. Since this is not a cloud service, remediation requires manual update by system administrators. No additional mitigations beyond applying the official patches are indicated by the vendor.