VYPR
patchPublished Jul 15, 2026· 1 source

FreeRDP 3.29.0 Security Update Patches 22 Vulnerabilities

The latest FreeRDP release, version 3.29.0, addresses 22 security advisories with a focus on hardening the codebase, particularly in media and channel handling.

FreeRDP, a widely adopted open-source implementation of the Remote Desktop Protocol, has released version 3.29.0, a significant security, bugfix, and maintenance update. This release resolves a total of 22 security advisories, enhancing the stability and security of the RDP client and server components used across numerous applications and platforms.

The primary focus of this update is on strengthening the core codebase through rigorous hardening efforts. Many of the patches implement crucial bounds and length checks within the media and channel processing code. This includes specific fixes for AV1 decode output limits, ensuring that the decoding process adheres to defined boundaries. Additionally, region rectangle checks have been updated to align with existing AVC handling, and a correction has been made to the H.264 decoder to address surface dimension mismatches, preventing potential rendering issues and vulnerabilities.

Beyond media handling, the update also addresses critical vulnerabilities in cryptographic and connection pathways. One notable fix ensures that the core RDP implementation will reject a short server random value during the key establishment process, a common target for man-in-the-middle attacks. Furthermore, the handling of embedded null bytes within X.509 certificate processing has been improved, mitigating risks associated with malformed certificates. The Windows client now benefits from enhanced endpoint FedAuth token authentication and a server response size check, bolstering its defenses against various network-based attacks.

Resource management and general runtime hardening are also key components of this release. The developers have implemented measures to limit resource consumption and improve the overall robustness of the FreeRDP runtime environment. These enhancements collectively aim to prevent denial-of-service conditions and other stability-related security issues that could be exploited by malicious actors.

The security improvements in FreeRDP 3.29.0 extend to its cross-platform compatibility. The release includes fixes for iOS and Android builds, ensuring that mobile implementations are also more secure. Additionally, the SDL client has received an update for clipboard MIME format handling, addressing potential data leakage or corruption issues.

This security-focused release follows a rapid development cadence, with version 3.29.0 arriving just a week after 3.28.0. Maintainer Armin Novak highlighted that the extensive fixes are the result of a "very rigorous review since our last release by a couple of security researchers." This proactive approach to security testing and patching underscores the project's commitment to user safety.

Given that FreeRDP serves as the RDP engine for many downstream tools and applications, a weakness in this library can have far-reaching implications. The coordinated batch of fixes in version 3.29.0 is therefore of significant importance to a broad range of users and organizations relying on RDP connectivity.

Users and organizations running FreeRDP or software that incorporates it are strongly advised to update to version 3.29.0 as soon as possible. The updated archive is available from the project's release server, ensuring that systems are protected against the newly addressed security vulnerabilities.

Synthesized by Vypr AI