new file mode 100644
@@ -0,0 +1,83 @@
+From df1132783e49ebeaa30206a67b70c7a37f3c5650 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 11 Jan 2026 09:03:57 +0100
+Subject: [PATCH] add length validity checks
+
+From: akallabeth <akallabeth@posteo.net>
+
+in smartcard_unpack_set_attrib_call input length validity checks were
+missing.
+
+CVE: CVE-2026-22855
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/57c5647d98c2a026de8b681159cb188ca0439ef8]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ channels/smartcard/client/smartcard_pack.c | 27 +++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/channels/smartcard/client/smartcard_pack.c b/channels/smartcard/client/smartcard_pack.c
+index f70eb4e5d..c0673e066 100644
+--- a/channels/smartcard/client/smartcard_pack.c
++++ b/channels/smartcard/client/smartcard_pack.c
+@@ -98,8 +98,8 @@ static BOOL smartcard_ndr_pointer_read_(wStream* s, UINT32* index, UINT32* ptr,
+ return TRUE;
+ }
+
+-static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
+- ndr_ptr_t type)
++static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t elementSize,
++ ndr_ptr_t type, size_t* plen)
+ {
+ size_t len, offset, len2;
+ void* r;
+@@ -125,6 +125,9 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
+ return STATUS_BUFFER_TOO_SMALL;
+ }
+
++ if (plen)
++ *plen = 0;
++
+ switch (type)
+ {
+ case NDR_PTR_FULL:
+@@ -181,11 +184,20 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
+ if (!r)
+ return SCARD_E_NO_MEMORY;
+ Stream_Read(s, r, len);
+- smartcard_unpack_read_size_align(NULL, s, len, 4);
++ const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4);
++ len += (size_t)pad;
+ *data = r;
++ if (plen)
++ *plen = len;
+ return STATUS_SUCCESS;
+ }
+
++static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
++ ndr_ptr_t type)
++{
++ return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL);
++}
++
+ static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD length)
+ {
+ const UINT32 ndrPtr = 0x20000 + (*index) * 4;
+@@ -3427,12 +3439,15 @@ LONG smartcard_unpack_set_attrib_call(SMARTCARD_DEVICE* smartcard, wStream* s, S
+
+ if (ndrPtr)
+ {
+- // TODO: call->cbAttrLen was larger than the pointer value.
+- // TODO: Maybe need to refine the checks?
+- status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE);
++ size_t len = 0;
++ status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE, &len);
+ if (status != SCARD_S_SUCCESS)
+ return status;
++ if (call->cbAttrLen > len)
++ call->cbAttrLen = (DWORD)(len);
+ }
++ else
++ call->cbAttrLen = 0;
+ smartcard_trace_set_attrib_call(smartcard, call);
+ return SCARD_S_SUCCESS;
+ }
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \
file://CVE-2024-32661.patch \
file://CVE-2026-22854.patch \
+ file://CVE-2026-22855.patch \
"
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22855 The related Github advisory[1] describes the problem along with analyzing where the vulnerability is in the codebase. I looked up the commit that recently performed the changes from the analysis, and backported it. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../freerdp/freerdp/CVE-2026-22855.patch | 83 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.11.7.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch