FreeRDP 3.28 has been released as the latest update to this widely used open-source implementation of the Remote Desktop Protocol, with the main focus on security, addressing multiple vulnerabilities, including CVE-2026-57156, CVE-2026-57157, and CVE-2026-57158.
Fixes address parsing, bounds-checking, clipboard, channel, codec, smartcard, and device redirection issues. Users and distributions are strongly encouraged to update.
Beyond the security work, this release also revives the iOS client, known as iFreeRDP. The update modernizes the client, removes some deprecation warnings, adds iOS CMake work, and introduces OpenH264 build support.
Android support is enhanced with RISC-V 64-bit compatibility, more configurable release builds, options to override version name and code, a redesigned touch pointer, and external dependencies moved to a dedicated CMake file.
The Windows client benefits from improved fullscreen floatbar controls in wfreerdp and a fix for scroll offset reset when hiding scrollbars. Additional updates include build adjustments for MSVC and fixes for CredSSP and Windows-specific x86 calling conventions.
Another notable addition is a new server-side smartcard API. On top of that, the release includes several smartcard-related fixes, including validation improvements and changes around smartcard logon handling. Plus, the client statistics interface now supports static channels, with additional channel statistics and related API updates.
SDL client improvements include enhanced file clipboard security, Askpass support, notification handling fixes, and corrected natural scrolling settings for mouse and touchpad input. On macOS, audio handling has been improved to recover sound after AVAudioEngine configuration changes.
Among the many other fixes, FreeRDP 3.28 improves connection failure logging, bounds video frame copies to the current surface size, validates remote assistance and camera channel data more carefully, fixes RDPDR string handling, hardens WinPR parser checks, addresses clipboard and sound channel issues, and fixes a potential gateway-related SIGSEGV in winpr_strnstr.
For additional details, see the announcement. The source archive is available on the project’s release page.
