FreeRDP, used in Red Hat Enterprise Linux 10, contains multiple security vulnerabilities including heap use-after-free (CVE-2026-25997, CVE-2026-25952), double free (CVE-2026-26986), heap-buffer-overflow (CVE-2026-29775), out-of-bounds reads in ADPCM decoders (CVE-2026-31885), division-by-zero (CVE-2026-31884), denial of service via crafted audio data (CVE-2026-31883), information disclosure via heap out-of-bounds reads (CVE-2026-33985, CVE-2026-33982), and memory corruption allowing denial of service or arbitrary code execution (CVE-2026-33987). These vulnerabilities are addressed in Red Hat's security advisory RHSA-2026:19142 with updated packages for affected Red Hat Enterprise Linux 10 variants and CodeReady Linux Builder. The advisory rates the security impact as moderate.

The vulnerabilities collectively allow an attacker to cause denial of service conditions through use-after-free, double free, heap-buffer-overflow, out-of-bounds reads, and crafted audio data. Some issues also permit information disclosure via heap memory out-of-bounds reads. Critically, one memory corruption vulnerability may enable arbitrary code execution. These impacts affect systems running vulnerable versions of FreeRDP on Red Hat Enterprise Linux 10 and related products. No known exploits in the wild have been reported at this time.

Red Hat has released updated packages for FreeRDP addressing all listed vulnerabilities as part of advisory RHSA-2026:19142. Users of affected Red Hat Enterprise Linux 10 and related products should apply these official updates promptly. For detailed update instructions, refer to Red Hat's article at https://access.redhat.com/articles/11258. Since this is an official fix, applying the update fully mitigates the vulnerabilities. No additional vendor-recommended mitigations are currently indicated.