Yeonba0918

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.26.0 **Description** The RDPEAR NDR parser in FreeRDP accepts a single non-null NDR pointer ref-id for multiple logical pointer fields without tracking the expected NDR type or ownership of the pointed object. If the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. Subsequently, the generic destructor processes each field independently, leading to a heap use-after-free or double-free condition in the client's RDPEAR authentication-redirection path, which can be triggered by a malicious server. **Recommendations** Update to version 3.26.0.

**Name of the Vulnerable Software and Affected Versions** LibVNCClient versions prior to 0.9.16 **Description** The Tight encoding decoder in LibVNCClient uses fixed-size 2048-pixel scratch buffers for the Gradient filter but fails to reject Tight rectangles with a width exceeding 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a client based on LibVNCClient connects, it processes the server-controlled rectangle width and writes beyond the fixed-size Gradient buffers, leading to a buffer overflow. **Recommendations** Update to version 0.9.16 or later.