Kevin-Valerio

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.26.0 **Description** The planar bitmap decoder contains an out-of-bounds heap write when decoding RLE planar data. In the `libfreerdp/codec/planar.c` file, the `freerdp bitmap decompress planar()` function validates the X destination coordinate `nXDst` against the caller-provided destination stride `nDstStep` while writing into the internal temporary buffer `pTempData`. An attacker can bypass this check by using a large `nDstStep` and a large `nXDst`, which causes the `planar decompress plane rle()` function to write past the end of `pTempData`. **Recommendations** Update to version 3.26.0.

**Name of the Vulnerable Software and Affected Versions** libyang versions prior to 5.2.6 **Description** A heap use-after-free write occurs in the `lyd parser set data flags()` function. This happens when the software incorrectly updates metadata list pointers while freeing non-head default metadata entries. An attacker can trigger this by submitting crafted YANG XML documents containing specific metadata attributes to applications that parse untrusted XML data, which may lead to process crashes or potential code execution. **Recommendations** Update to version 5.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.26.0 **Description** A heap-buffer-overflow write exists in the server-side clipboard (cliprdr) channel of FreeRDP. The issue occurs within the `cliprdr server receive pdu()` function when processing a CB CLIP CAPS PDU containing an undersized `capabilitySetLength` parameter. A remote attacker can exploit this to corrupt heap memory, potentially leading to arbitrary code execution or a remote denial of service (DoS) by crashing the server process. There have been reports of elevated activities targeting this issue. **Recommendations** Update to version 3.26.0.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.26.0 **Description** A heap-buffer-overflow write can be triggered in the client when connecting to a malicious RDP server that sends crafted RDPGFX PDUs (Protocol Data Units). The issue occurs in the `gdi CacheToSurface()` function, which validates a destination rectangle clamped to `UINT16 MAX` but executes the copy operation using the original `cacheEntry->width` and `cacheEntry->height` variables. This results in a large out-of-bounds heap write that may lead to client crashes or remote code execution. This issue is only reachable when the client has RDPGFX enabled. **Recommendations** Update to version 3.26.0. As a temporary workaround, disable RDPGFX to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.26.0 **Description** A heap-buffer-overflow exists in the `gdi CacheToSurface()` function. This occurs because rectangle validation clamps coordinates to `UINT16 MAX` but copy operations use unclamped cache entry dimensions. This allows a malicious RDP server to trigger large out-of-bounds writes to heap memory, which could lead to a client crash or remote code execution. **Recommendations** Update to version 3.26.0 or later.

**Name of the Vulnerable Software and Affected Versions** MapServer versions 4.2 through 8.6.0 **Description** MapServer is a system for developing web-based GIS applications. A heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser allows a remote, unauthenticated attacker to crash the MapServer process. This occurs by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure, commonly reachable via WMS GetMap with the `SLD BODY` parameter. The vulnerable component is the SLD parser. **Recommendations** Update to MapServer version 8.6.1 or later.