From c9763be62bd07cefb906649011de2034ef4702a3 Mon Sep 17 00:00:00 2001 From: Ankur Tyagi Date: Thu, 9 Apr 2026 19:09:02 +1200 Subject: [PATCH] freerdp3: fix CVE-2026-24491 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491 Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal --- .../freerdp/freerdp3/CVE-2026-24491.patch | 52 +++++++++++++++++++ .../recipes-support/freerdp/freerdp3_3.4.0.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch new file mode 100644 index 0000000000..958d030bfd --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch @@ -0,0 +1,52 @@ +From ef948ef4659f59c10a71083fa8cb5d5da77e94a9 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Mon, 26 Jan 2026 10:06:29 +0100 +Subject: [PATCH] [channels,drdynvc] reset channel_callback before close + +The channel_callback usually frees up the memory of the callback. To +ensure that there is no access to any of the data structures in it +invalidate the pointer used to access it before a free. + +CVE: CVE-2026-24491 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/e02e052f6692550e539d10f99de9c35a23492db2] +Signed-off-by: Ankur Tyagi +--- + channels/drdynvc/client/drdynvc_main.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/channels/drdynvc/client/drdynvc_main.c b/channels/drdynvc/client/drdynvc_main.c +index 0b85c0fe3..64c83333a 100644 +--- a/channels/drdynvc/client/drdynvc_main.c ++++ b/channels/drdynvc/client/drdynvc_main.c +@@ -485,14 +485,13 @@ static UINT dvcman_channel_close(DVCMAN_CHANNEL* channel, BOOL perRequest, BOOL + channel->state = DVC_CHANNEL_CLOSED; + + IWTSVirtualChannelCallback* cb = channel->channel_callback; ++ channel->channel_callback = NULL; + if (cb) + { + check_open_close_receive(channel); + IFCALL(cb->OnClose, cb); + } + +- channel->channel_callback = NULL; +- + if (channel->dvcman && channel->dvcman->drdynvc) + { + if (context) +@@ -763,14 +762,13 @@ out: + */ + static UINT dvcman_open_channel(drdynvcPlugin* drdynvc, DVCMAN_CHANNEL* channel) + { +- IWTSVirtualChannelCallback* pCallback = NULL; + UINT error = CHANNEL_RC_OK; + + WINPR_ASSERT(drdynvc); + WINPR_ASSERT(channel); + if (channel->state == DVC_CHANNEL_RUNNING) + { +- pCallback = channel->channel_callback; ++ IWTSVirtualChannelCallback* pCallback = channel->channel_callback; + + if (pCallback->OnOpen) + { diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb index c570e5fb7e..e66a4ed4da 100644 --- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb +++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb @@ -23,6 +23,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ file://CVE-2026-25941.patch \ file://CVE-2026-33952.patch \ file://CVE-2026-23948.patch \ + file://CVE-2026-24491.patch \ " S = "${WORKDIR}/git"