From e3fbcd0250d70099a56d30b6a39ebacc4237841e Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Mon, 23 Feb 2026 20:18:38 +0100
Subject: [PATCH] freerdp: patch CVE-2026-22852

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22852

The related github advisory[1] comes with an analysis of the
vulnerability, including pointing to the vulnerable code
snippet. Backported the commit that touched the mentioned
code part in the fixed version, and is in line with the
description of the issue.

Ptests passed successfully.

[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../freerdp/freerdp/CVE-2026-22852.patch      | 27 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp_2.11.7.bb |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch
new file mode 100644
index 0000000000..aa6952fb7d
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch
@@ -0,0 +1,27 @@
+From e3391e8d160f4b1b43d53b4a7d462a3601c45408 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Sat, 10 Jan 2026 08:36:38 +0100
+Subject: [PATCH] free up old audio formats
+
+CVE: CVE-2026-22852
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/cd1ffa112cfbe1b40a9fd57e299a8ea12e23df0d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ channels/audin/client/audin_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/channels/audin/client/audin_main.c b/channels/audin/client/audin_main.c
+index 23561b153..5ffe09127 100644
+--- a/channels/audin/client/audin_main.c
++++ b/channels/audin/client/audin_main.c
+@@ -219,6 +219,10 @@ static UINT audin_process_formats(AUDIN_PLUGIN* audin, AUDIN_CHANNEL_CALLBACK* c
+ 	}
+ 
+ 	Stream_Seek_UINT32(s); /* cbSizeFormatsPacket */
++
++	audio_formats_free(callback->formats, callback->formats_count);
++	callback->formats_count = 0;
++
+ 	callback->formats = audio_formats_new(NumFormats);
+ 
+ 	if (!callback->formats)
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
index 3ee4f99c1a..70198a1e21 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://CVE-2024-32661.patch \
            file://CVE-2026-22854.patch \
            file://CVE-2026-22855.patch \
+           file://CVE-2026-22852.patch \
            "