ALAS2-2026-3166

Amazon Linux 2 Security Advisory: ALAS2-2026-3166
Advisory Released Date: 2026-02-19
Advisory Updated Date: 2026-02-19

Severity: Medium

References: CVE-2026-22852 CVE-2026-22854 CVE-2026-22855 CVE-2026-22856 CVE-2026-22859 CVE-2026-23732
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1. (CVE-2026-22852)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1. (CVE-2026-22854)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. (CVE-2026-22855)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use-after-free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1. (CVE-2026-22856)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out-of-bounds read. This vulnerability is fixed in 3.20.1. (CVE-2026-22859)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client-side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue. (CVE-2026-23732)

Affected Packages:

freerdp

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update freerdp or yum update --advisory ALAS2-2026-3166 to update your system.

New Packages:

aarch64:
    freerdp-2.11.7-1.amzn2.0.4.aarch64
    freerdp-libs-2.11.7-1.amzn2.0.4.aarch64
    freerdp-devel-2.11.7-1.amzn2.0.4.aarch64
    libwinpr-2.11.7-1.amzn2.0.4.aarch64
    libwinpr-devel-2.11.7-1.amzn2.0.4.aarch64
    freerdp-debuginfo-2.11.7-1.amzn2.0.4.aarch64

i686:
    freerdp-2.11.7-1.amzn2.0.4.i686
    freerdp-libs-2.11.7-1.amzn2.0.4.i686
    freerdp-devel-2.11.7-1.amzn2.0.4.i686
    libwinpr-2.11.7-1.amzn2.0.4.i686
    libwinpr-devel-2.11.7-1.amzn2.0.4.i686
    freerdp-debuginfo-2.11.7-1.amzn2.0.4.i686

src:
    freerdp-2.11.7-1.amzn2.0.4.src

x86_64:
    freerdp-2.11.7-1.amzn2.0.4.x86_64
    freerdp-libs-2.11.7-1.amzn2.0.4.x86_64
    freerdp-devel-2.11.7-1.amzn2.0.4.x86_64
    libwinpr-2.11.7-1.amzn2.0.4.x86_64
    libwinpr-devel-2.11.7-1.amzn2.0.4.x86_64
    freerdp-debuginfo-2.11.7-1.amzn2.0.4.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-22852, CVE-2026-22854, CVE-2026-22855, CVE-2026-22856, CVE-2026-22859, CVE-2026-23732

Mitre: CVE-2026-22852, CVE-2026-22854, CVE-2026-22855, CVE-2026-22856, CVE-2026-22859, CVE-2026-23732