# 2026-06-15 Version 3.27.0

A major feature / bugfix / cleanup release
What did change:
 * Password hash now uses a custom SSPI attribute on non windows systems
 * TLS seclevel now defaults to 2 and a minimum of TLS 1.2 is required.
   Client side the /tls:seclevel:<number> and /tls:enforce:<version> allow to override these.
   Server implementations can manually set these with rdpSettings::FreeRDP_TLSMinVersion and
   rdpSettings::FreeRDP_TlsSecLevel
   (See https://docs.openssl.org/3.0/man3/SSL_CTX_set_security_level/ for more details)
 * The RDP proxy got a fix which removed (unstable) structs from public headers. There are no
   known users of that (internal) API, but if you happen to be one please ping us.
 * Android client got some huge updates again (thank @svncibrahim)
 * Enhancements with Azure/Entra support: some (known but not officially documented) extensions
   have been added to make these connections more stable.
 * keyboard mapping
 * Allow RDPDR channel to pass additional arguments to the channel. Does not break existing behaviour
   but allows a channel supporting this to query the additional arguments for further use.
 * Fix some WinPR deprecation handling, add WITHOUT_WINPR_3x_DEPRECATED that allows building
   without any symbol deprecated during the stable 3 series
 * Some client side statistics logging API was added. By default prints a (trace) log at the
   end of a session, but it can be queried at any time for some connection details.

## CVE (Reported by SecBuddyF, Tencent Keen Lab)
* https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9gxm-3mf5-f5cx
* https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rp4-66mc-j9vx
* https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mmf-qh4f-frm6
* https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vx73-w5q6-7jqr
* https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5c5v-f78v-h2f6 (Reported by @f9j2n6nd8k-eng)

## What's Changed
* Call winpr_InitializeSSL in TestWinPRUtils/TestNTLM (#12746)
* [core,codec] Fix invalid overlap check (#12753)
* Improve clipboard massive files copying performance (#12743)
* [crypto,certificate] Honor BIO_should_retry (#12755)
* Unify PEM read routines (#12758)
* Build updates (#12772)
* Fix sdl3 clipboard for files (#12759)
* url: replace http://www.freerdp.com (#12781)
* Fuzz/analyzer fixes (#12791)
* [winpr,sspi] replace password-length heuristic with explicit hash (#12782)
* Claude suggestions (#12792)
* Disp check fix (#12795)
* [core,settings] Raise default security level (#12752)
* [clang,tidy] use workflow from ZedThree (#12806)
* Improve FIPS mode support (#12811)
* Lots of android specific improvements (#12773, #12777, #12783, #12784, #12785,
  #12786, #12787, #12788, #12807, #12812, #12815, #12818, #12819, #12820, #12822,
  #12748, #12750)
* [channels,audin] fix opensles error handling (#12751)
* [channels,audin] fix iOS and mac backends (#12864)
* [channels,cliprdr] refactor server channel (#12810)
* [channels,cliprdr] reset stream after use (#12855)
* [channels,drdynvc] add new PubSub events (#12760)
* [channels,rail] fix client handshake response (#12780)
* [channels,rdpdr] various enhancements (#12800, #12797, #12803)
* [channels,rdpgfx] fix server frame command returning success on write failure (#12828)
* [channels,rdpsnd] reject client audio formats with zero nChannels/nBlockAlign (server-side DoS) (#12829)
* [channels,rdpsnd] skip unusable playback backend during selection (#12830)
* Refactor printer queue (#12817)
* [ci,freebsd] update ci (#12823, #12824, #12825)
* [cmake,simd] guard CMAKE_OSX_ARCHITECTURES (#12802)
* [cmake] replace find_package(GLOBAL) (#12837)
* [cmake] fix use of pkg_check_module (#12838)
* [winpr,input] complete japanese keyboard mapping (#12836)
* winpr/input: Fix numpad mapping for japanese keyboards (#12845)
* [core,gateway] validate auth blob length in rdg_process_extauth_sspi (#12856)
* Restore fullscreen when maximizing a toggled fullscreen window (#12849)
* Fix(wfreerdp): Refresh Windows frame after fullscreen restore (#12848)
* Fix copying multiple items of the same type between xfreerdp sessions (#12834)
* [core,event] add StateChanged event (#12858)
* [core,nego] bound cookie tag check to remaining length (#12862)
* codec stats (#12860)
* Various warning fixes (#12749, #12813, #12866, #12831)
* [core,client] add PubSub events (#12757)
* [core,client] use correct interface pointer (#12766)
* [client,rdpewa] filter UserNotify events (#12767)
* [client,windows] honor /from-stdin in wfreerdp (#12821)
* [client,x11] release normal keys before modifiers (#12868)
* fix(client/SDL): do not treat an unrecognized mouse button as fatal (#12847)
* Proxy client context (#12865)
* [core,update] filter out unused/unknown (#12870)
* Azure/Entra undocumented stuff and request compaction (#12872, #12871, #12770)
* Various bounds checks (#12873, #12857)
* Sspi separate ansi unicode (#12874)
* Ci update qa (#12875)
* [channels,gfx] extract remaining header length (#12876)
* [cache,glyph] bound offset read to buffer length (#12881)
* Expose the correlationId in settings (#12879)
* [winpr,wtypes] fix WINPR_C23_ENUM_TYPE (#12882)
* [server,proxy] pass ntlm hostname (#12877)

## New Contributors
* @ramnes made their first contribution in (#12782)
* @grioghar made their first contribution in (#12829)
* @scottgeigel2 made their first contribution in (#12821)
* @metsw24-max made their first contribution in (#12856)
* @zorjen122 made their first contribution in (#12849)

For a complete and detailed change log since the last release run:
git log 3.27.0...3.26.0

# 2026-05-06 Version 3.26.0

Mostly a bugfix and maintenance release with a few nice additions:
* On mac os the H264 decoder now supports VideoToolbox
* The android client got a big overhaul, more has been promised

## CVE fixes
* 3 High ranking CVE, no numbers assigned yet.
  Monitor https://github.com/FreeRDP/FreeRDP/security/advisories for updates

## What's Changed
* cmake: Findyuv: Use correct pkgconfig name (#12666)
* Remove deallocator attribute from rfx_message_free (#12681)
* [winpr,utils] improve winpr/ntlm.h (#12677)
* rdpecam-v4l: stop the capture thread when streaming is cleared (#12690)
* fix(winpr,ncrypt): support PIV retired key slots for smartcard logon (#12684)
* [core,instance] fix deprecation guards (#12691)
* [ci,alt-arch] enable internal MD4, MD5 and RC4 (#12692)
* Add VideoToolbox H.264 support for ffmpeg (#12694)
* [client,common] add /args-from:file:<name> syntax (#12697)
* [ci,freebsd] update freebsd builds (#12698, #12700, #12701, #12702)
* [client, android] UI modernization, SQLCipher and more (#12685, #12686, #12687, #12730,
  #12731, #12736, #12737, #12688)
* [cmake,deps] use alias target for sso-mib (#12706)
* [core,settings] add auto reconnect triggered flag (#12709)
* Force YUV420P when videotoolbox is used (#12711)
* Release cleanups (#12712)
* [gdi,gfx] fix bounds checks and proxy unit tests (#12713)
* Improved input checks (#12714)
* [winpr,utils] add unit tests for command line parser (#12716)
* Cmdline fixes (#12717)
* [codec,planar] fix bounds checks (#12718)
* [client,common] add freerdp_client_settings_parse_command_line_argume… (#12724)
* [winpr,sspi] clean up ntlm code (#12732)

## New Contributors
* @fstanis made their first contribution in (#12694)

For a complete and detailed change log since the last release run:
git log 3.26.0...3.25.0

# 2026-04-23 Version 3.25.0

Bugfix and feature release.
* Experimental AV1 support has been added. This currently works only with FreeRDP based servers.
* Most notably there is now support for [MS-RDPEWA] (FIDO2 redirection)
* Android client received a (small) facelift
* Improved SDL3 client drawing performance
* Console output support for SDL3 (windows) and windows native client
* RDP proxy now supports NSCodec and RFX modes.
* RDP PRoxy now has smartcard emulation and SAM file support (via config file)
* Smartcard KSP support for NLA authentication

## CVE fixes
* CVE-2026-40254

## What's Changed
* [winpr,wlog] add WLog_SetGlobalPrefix (#12497)
* [channels,video] fix wrong cast (#12511)
* [codec,openh264] reject encoder ABI mismatch on runtime-loaded library (#12510)
* [client,sdl] create a copy of rdpPointer (#12512)
* [codec,video] properly pass intermediate format (#12518)
* [utils, signal] lazily initialize Windows CRITICAL_SECTION to match POSIX static mutex behavior (#12520)
* winpr: improve libunwind backtraces (#12530)
* [server,shadow] remember selected caps (#12528)
* Zero credential data before free in NLA and NTLM context (#12532)
* [server,proxy] ignore missing client in input channel (#12536)
* [server,proxy] ignore rdpdr messages (#12537)
* [winpr,sspi] improve kerberos logging (#12538)
* Codec fixes (#12542)
* [winpr,sspi] Fix context nullptr handling (#12543)
* Dev 3.24.3 dev0 (#12545)
* Fix memory leak in `gdi_create_bitmap()` on `gdi_CreateBitmap` failure (`libfreerdp/gdi/graphics.c`) (#12547)
* Fix memory leak in `vgids_read_do_fkt()` on `Stream_New` failure (`libfreerdp/emu/scard/smartcard_virtual_gids.c`) (#12548)
* Proxy config improve (#12549)
* Proxy config improve (#12550)
* [client,sdl] clamp cursor hotspot (#12553)
* RFC: Research/av1 codec extension (#12527)
* [winpr,kerberos] fix krb_log_context_encryption (#12555)
* [client,sdl] fix global init return check (#12558)
* Fix remote credential with windows11h2 (#12560)
* Proxy scard auth improvements (#12561)
* [winpr,sspi] guard krb5_get_etype_info (#12562)
* [utils,smartcard] fix STATUS_BUFFER_TOO_SMALL (#12564)
* [client,common] do not manipulate security settings for smartcard-logon (#12567)
* [channels,audin] fix regression for microphone (#12570)
* [client,sdl] add SDL_KMOD_MODE and SDL_KMOD_LEVEL5 (#12569)
* Fix unbound strlen on slotDescription (#12571)
* build: Update FindFFmpeg.cmake to support Apple frameworks with 'lib' prefix (#12565)
* [channels,rdpewa] add WebAuthn virtual channel support (#12572)
* [core] fix freerdp_get_nla_sspi_error always returning 0 on client (#12574)
* [ci] enable rdpewa channel (#12576)
* small refactoring (#12578)
* Rdpewa unify notifications (#12581)
* [client,sdl] fix crash when clicking 'cancel' on PIN popup (#12580)
* [channels,drive] refine bounds checks (#12584)
* fix: smartcard logon with ECC keys and minidriver-assigned container names (#12585)
* Various papercuts (#12583)
* fix: console output on Windows client (#12573)
* [winpr,crt] dump stack on aligned memory errors (#12588)
* [client,x11] keep scancode input for Ctrl/Alt/Super combinations in /kbd:unicode mode (#12590)
* [codec,progressive] fix underflow guard in progressive_rfx_quant_sub (#12592)
* fix: wfreerdp floatbar visibility (#12594)
* [winpr,json] return a copy from WINPR_JSON_Print* (#12595)
* [client,sdl] drop WITH_DEBUG_SDL_EVENTS (#12599)
* Ncrypt and asn1 cleanup (#12604)
* Video channel fix (#12593)
* [codec,h264] fix media foundation backend (#12606)
* fix(sdl): detect Hyprland and river in tryFallback() (#12608)
* Proxy stress fixes (#12597)
* Add new fuzzer tests (#12613)
* fix(sdl): use SDL_Renderer instead of software surfaces (#12607)
* fix(sdl): BFS neighbor walk pop/begin mismatch in addOrUpdateDisplay (#12614)
* fix(sdl): promote first monitor as primary when subset excludes primary (#12618)
* [ci,android] default to only aarch64 (#12622)
* Fix process exit code on non-pidfd platforms (macOS, BSD)#12534) (#12586)
* warning cleanups (#12626)
* fix: prevent PostQuitMessage in RemoteApp WM_DESTROY handler (#12629)
* [winpr,ntlm] fix message cleanup across the SSPI lifecycle (#12609)
* Code bug fixes (#12632)
* Oss fixes (#12633)
* [client,android] add an option to enable keeping screen on when connected (#12630)
* [client, android] Fix layout overlaps, migrate to AndroidX, and update UI components (#12628)
* Proxy config tests (#12636)
* Proxy config optional targethost (#12637)
* [client,sdl] set SDL_HINT_SCREENSAVER_INHIBIT_ACTIVITY_NAME (#12639)
* Nightly deb fix (#12640, #12641, #12649, #12650, #12642, #12643)
* [winpr,input] fix korean keyboard mapping (#12646)
* [client,sdl] set hints before SDL_Init (#12644)
* Sdl inhibit option (#12647)
* [client,X11] fix residual race in xf_clipboard_formats_free (#12648)
* (sdl3): Fix oversized window on HiDPI Wayland (#12635)
* [cache,bitmap] fix off-by-one in bitmap_cache_put bounds check (#12651)
* [winpr,sspi] free fields buffer immediately (#12654)
* [codec,dsp] fix fencepost error in dsp_ima_clamp_step (#12655)

## New Contributors
* @Kotivskyi made their first contribution in (#12532)
* @Skinner927 made their first contribution in (#12571)
* @bluca made their first contribution in (#12572)
* @sitiom made their first contribution in (#12573)
* @mtixt made their first contribution in (#12590)
* @MrVampy made their first contribution in (#12608)
* @ZackaryShen made their first contribution in (#12629)
* @parasol-aser made their first contribution in (#12609)
* @svncibrahim made their first contribution in (#12628)

**Full Changelog**: https://github.com/FreeRDP/FreeRDP/compare/3.24.1...3.25.0

# 2026-03-25 Version 3.24.2

Bug and security fix release

## CVE fixes

We got 4 High and 2 Moderate security reports from
* Calvin Young - eWalker Consulting
* Enoch Chow - Isomorph Cyber

and 2 Modreate reports from
* [Sebastian Alba Vives] ***@***.***) Sebastián Alba

and 1 Moderate report from
* @prahal

CVE have been requested but not assigned yet. They will be published once assigned at
https://github.com/FreeRDP/FreeRDP/security

## What's Changed
* [channels,video] fix wrong cast (#12511)
* [codec,openh264] reject encoder ABI mismatch on runtime-loaded library (#12510)
* [client,sdl] create a copy of rdpPointer (#12512)
* [codec,video] properly pass intermediate format (#12518)
* [utils, signal] lazily initialize Windows CRITICAL_SECTION to match POSIX static mutex behavior (#12520)
* winpr: improve libunwind backtraces (#12530)
* [server,shadow] remember selected caps (#12528)
* Zero credential data before free in NLA and NTLM context (#12532)
* [server,proxy] ignore missing client in input channel (#12536)
* [server,proxy] ignore rdpdr messages (#12537)
* [winpr,sspi] improve kerberos logging (#12538)
* Codec fixes (#12542)

## New Contributors
* @Kotivskyi made their first contribution in #12532

For a complete and detailed change log since the last release run:
git log 3.24.2...3.24.1

# 2026-03-18 Version 3.24.1

Minor bugfix release addression two regressions found in previous 3.24.0 release

## What's Changed
* [warnings] fix various sign and cast warnings (#12480)
* [client,x11] start with xfc->remote_app = TRUE; (#12491)
* Sam file read regression fix (#12484)
* [ncrypt,smartcardlogon] support ECC keys in PKCS#11 smartcard enumeration (#12490)
* Fix: memory leak in rdp_client_establish_keys() in libfreerdp/core/co… (#12494)
* Fix memory leak in `freerdp_settings_int_buffer_copy()` on error paths (`libfreerdp/core/settings.c`) (#12486)
* Code Cleanups (#12493)
* Fix: memory leak in PCSC_SCardListReadersW() in winpr/libwinpr/smartc… (#12495)
* [channels,telemetry] use dynamic logging (#12496)
* [channel,gfx] use generic plugin log (@12498, #12499)
* [channels,audin] set error when audio_format_read fails (#12500)
* [channels,video] unify error handling (#12502)
* Fastpath fine grained lock (#12503)
* [core,update] make the PlaySound callback non-mandatory (#12504)
* Refinements: RPM build updates, FIPS improvements (#12506)

## New Contributors
* @dko-strd made their first contribution in #12490
* @huanghuihui0904 made their first contribution in #12486

For a complete and detailed change log since the last release run:
git log 3.24.1...3.24.0

# 2026-03-13 Version 3.24.0

A new release with bugfixes and many improvements for users and developers alike.
* Completed the [[nodiscard]] marking of the API to warn about problematic
  unchecked use of functions
* Added full C23 support (default stays at C11) to allow new compilers
  to do stricter checking
* Improved X11 and SDL3 clients
* Improved smartcard support
* proxy now supports RFX graphics mode

## Security Advisories
* CVE-2026-29774
* CVE-2026-29775
* CVE-2026-29776
* CVE-2026-31806
* CVE-2026-31883
* CVE-2026-31884
* CVE-2026-31885
* CVE-2026-31897

## What's Changed
* Attribute nodiscard related chanes (#12325, #12360, #12395, #12406,
  #12421, #12426, #12177, #12403, #12405, #12407, #12409, #12408,
  #12412, #12413)
* c23 related improvements (#12368, #12371, #12379, #12381, #12383,
  #12385, #12386, #12387, #12384)
* Generic code cleanups (#12382, #12439, #12455, #12462, #12399, #12473)
* [core,utils] ignore NULL values in remove_rdpdr_type (#12372)
* [codec,fdk] revert use of WinPR types (#12373)
* [core,gateway] ignore incomplete rpc header (#12375, #12376)
* [warnings] make function declaration names consistent (#12377)
* [libfreerdp] Add new define for logon error info (#12380)
* [client,x11] improve rails window locking (#12392)
* Reload fix missing null checks (#12396)
* Bounds checks (#12400)
* [server,proxy] check for nullptr before using scard_call_context (#12404)
* [uwac] fix rectangular glitch around surface damage regions (#12410)
* Address various error handling inconsistencies (#12411)
* [core,server] Improve WTS API locking (#12414)
* Address some GCC compile issues (#12415, #12420)
* Winpr atexit (#12416)
* [winpr,smartcard] fix function pointer casts (#12422)
* Xf timer fix (#12423)
* [client,sdl] workaround for wlroots compositors (#12425)
* [client,sdl] fix SdlWindow::query (#12378)
* [winpr,smartcard] fix PCSC_ReleaseCardContext (#12427)
* [client,x11] eliminate obsolete compile flags (#12428)
* [client,common] skip sending input events when not connected (#12429)
* Input connected checks (#12430)
* Floatbar and display channel improvements (#12431)
* [winpr,platform] fix WINPR_ATTR_NODISCARD definition (#12432)
* [client] Fix writing of gatewayusagemethod to .rdp files (#12433)
* Nodiscard finetune (#12435)
* [core] fix missing gateway credential sync (#12436)
* [client,sdl3] limit FREERDP_WLROOTS_HACK (#12441)
* [core,settings] Allow FreeRDP_instance in setter (#12442)
* [codec,h264] make log message trace (#12444)
* X11 rails improve (#12440)
* [codec,nsc] limit copy area in nsc_process_message (#12448)
* Proxy support RFX and NSC settings (#12449)
* [client,common] display a shortened help on parsing issues (#12450)
* [winpr,smartcard] refine locking for pcsc layer (#12451)
* [codec,swscale] allow runtime loading of swscale (#12452)
* Swscale fallback (#12454)
* Sdl multi scaling support (#12456)
* [packaging,flatpak] update runtime and dependencies (#12457)
* [codec,video] add doxygen version details (#12458)
* [github,templates] update templates (#12460)
* [client,sdl] allow FREERDP_WLROOTS_HACK for all sessions (#12461)
* [warnings,nodiscard] add log messages for failures (#12463)
* [gdi,gdi] ignore empty rectangles (#12467)
* Smartcard fix smartcard-login, pass rdpContext for abort (#12466)
* [winpr,smartcard] fix compiler warnings (#12469)
* [winpr,timezone] fix search for transition dates (#12468)
* [client,common] improve /p help (#12471)
* Scard logging refactored (#12472)
* [emu,scard] fix smartcard emulation (#12475)
* Sdl null cursor (#12474)

## New Contributors
* @larsch made their first contribution in #12410

For a complete and detailed change log since the last release run:
git log 3.24.0...3.23.0

# 2026-02-25 Version 3.23.0

A new release and again a lot of changes:
* We've received in depth analysis of FreeRDP client code and have addressed shortcomings uncovered by these.
CVE-2026-26965
CVE-2026-26955
CVE-2026-26271
CVE-2026-25997
CVE-2026-25959
CVE-2026-25955
CVE-2026-25954
CVE-2026-25953
CVE-2026-25952
CVE-2026-25942
CVE-2026-25941

Another weakness was reported, see https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcfc-ghxr-h927

* Configuration isolation was added. 3rd party client/server applications should check
  the new API freerdp_setApplicationDetails and winpr_setApplicationDetails which allows
  using a custom namespace for configuration files and runtime data per application
* For developers, we've marked most of the API with [[nodiscard]] now so compilers
  might start complaining about unchecked return values now. This is intentional and should
  give some incentive to clean up code. Functions where the return is optional have been
  omitted. For the time being these checks are automatically applied for FreeRDP builds, external
  projects can opt in by defining WINPR_DEFINE_ATTR_NODISCARD in their build system.
* For developers: Please start testing your applications against FreeRDP builds with
  `-DWITHOUT_FREERDP_3x_DEPRECATED=ON` to ensure you're not using some soon to be removed API.
* SDL client did get a huge update, multimonitor and high DPI modes are now much improved
* We got a contribution for smartcard channel adding support for new attributes, so more
  applications might work now.

## What's Changed
* Sdl cleanup (#12202)
* [client,sdl] do not apply window offset (#12205)
* [client,sdl] add SDL_Error to exceptions (#12214)
* Rdp monitor log (#12215)
* [winpr,smartcard] implement some attributes (#12213)
* [client,windows] Fix return value checks for mouse event functions (#12279)
* [channels,rdpecam] fix sws context checks (#12272)
* [client,windows] Enhance error handling and context validation (#12264)
* [client,windows] Add window handle validation in RDP_EVENT_TYPE_WINDOW_NEW (#12261)
* [client,sdl] fix multimon/fullscreen on wayland (#12248)
* Vendor by app (#12207)
* [core,gateway] relax TSG parsing (#12283)
* [winpr,smartcard] simplify PCSC_ReadDeviceSystemName (#12273)
* [client,windows] Implement complete keyboard indicator synchronization (#12268)
* Fixes more more more (#12286)
* Use application details for names (#12285)
* warning cleanups (#12289)
* Warning cleanup (#12291)
* [client,windows] Enhance memory safety with NULL checks and resource protection (#12271)
* [client,x11] apply /size:xx% only once (#12293)
* Freerdp config test (#12295)
* [winpr,smartcard] fix returned attribute length (#12296)
* [client,SDL3] Fix properly handle smart-sizing with fullscreen (#12298)
* [core,test] fix use after free (#12299)
* Sign warnings (#12300)
* [cmake,compiler] disable -Wjump-misses-init (#12301)
* [codec,color] fix input length checks (#12302)
* [client,sdl] improve cursor updates, fix surface sizes (#12303)
* Sdl fullscreen (#12217)
* [client,sdl] fix move constructor of SdlWindow (#12305)
* [utils,smartcard] check stream length on padding (#12306)
* [android] Fix invert scrolling default value mismatch (#12309)
* Clear fix bounds checks (#12310)
* Winpr attr nodiscard fkt ptr (#12311)
* [codec,planar] fix missing destination bounds checks (#12312)
* [codec,clear] fix destination checks (#12315)
* NSC Codec fixes (#12317)
* Freerdp api nodiscard (#12313)
* [allocations] fix growth of preallocated buffers (#12319)
* Rdpdr simplify (#12320)
* Resource fix (#12323)
* [winpr,utils] ensure message queue capacity (#12322)
* [server,shadow] fix return and parameter checks (#12330)
* Shadow fixes (#12331)
* [rdtk,nodiscard] mark rdtk API nodiscard (#12329)
* [client,x11] fix XGetWindowProperty return handling (#12334)
* Win32 signal (#12335)
* [channel,usb] fix message parsing and creation (#12336)
* [cmake] Define WINPR_DEFINE_ATTR_NODISCARD (#12338)
* Proxy config fix (#12345)
* [codec,progressive] refine progressive decoding (#12347)
* [client,sdl] fix sdl_Pointer_New (#12350)
* [core,gateway] parse [MS-TSGU] 2.2.10.5 HTTP_CHANNEL_RESPONSE_OPTIONAL (#12353)
* X11 kbd sym (#12354)
* Windows compile warning fixes (#12357,#12358,#12359)

## New Contributors
* @tsz8899 made their first contribution in (#12279)
* @morgan9e made their first contribution in (#12298)
* @Wladefant made their first contribution in (#12309)

For a complete and detailed change log since the last release run:
git log 3.23.0...3.22.0

# 2026-01-28 Version 3.22.0

Major bugfix release:
* Complete overhaul of SDL client
* Introduction of new WINPR_ATTR_NODISCARD macro wrapping compiler or C language
  version specific [[nodiscard]] attributes
* Addition of WINPR_ATTR_NODISCARD to (some) public API functions so usage errors
  are producing warnings now
* Add some more stringify functions for logging
* We've received CVE reports, check
  https://github.com/FreeRDP/FreeRDP/security/advisories for more details!
  * @Keryer reported an issue affecting client and proxy:
    * CVE-2026-23948
  * @ehdgks0627 did some more fuzzying and found quite a number of client side bugs.
    * CVE-2026-24682
    * CVE-2026-24683
    * CVE-2026-24676
    * CVE-2026-24677
    * CVE-2026-24678
    * CVE-2026-24684
    * CVE-2026-24679
    * CVE-2026-24681
    * CVE-2026-24675
    * CVE-2026-24491
    * CVE-2026-24680

## What's Changed
* [core,info] fix missing NULL check (#12157)
* [gateway,tsg] fix TSG_PACKET_RESPONSE parsing (#12161)
* Allow querying auth identity with kerberos when running as a server (#12162)
* Sspi krb heimdal (#12163)
* Tsg fix idleTimeout parsing (#12167)
* [channels,smartcard] revert 649f7deee4e32ecedf0dcdfe571e54134b5be81e (#12166)
* [crypto] deprecate er and der modules (#12170)
* [channels,rdpei] lock full update, not only parts (#12175)
* [winpr,platform] add WINPR_ATTR_NODISCARD macro (#12178)
* Wlog cleanup (#12179)
* new stringify functions & touch API defines (#12180)
* Add support for querying SECPKG_ATTR_PACKAGE_INFO to NTLM and Kerberos (#12171)
* [channels,video] measure times in ns (#12184)
* [utils] Nodiscard (#12187)
* Error handling fixes (#12186)
* [channels,drdynvc] check pointer before reset (#12189)
* Winpr api def (#12190)
* [winpr,platform] drop C23 [[nodiscard]] (#12192)
* [gdi] add additional checks for a valid rdpGdi (#12194)
* Sdl3 high dpiv2 (#12173)
* peer: Disconnect if Logon() returned FALSE (#12196)
* [channels,rdpecam] fix PROPERTY_DESCRIPTION parsing (#12197)
* [channel,rdpsnd] only clean up thread before free (#12199)
* [channels,rdpei] add RDPINPUT_CONTACT_FLAG_UP (#12195)


For a complete and detailed change log since the last release run:
git log 3.22.0...3.21.0

# 2026-01-19 Version 3.21.0

Bugfix release with a few new API functions addressing shortcomings with
regard to input data validation.
Thanks to @ehdgks0627 we have fixed the following additional (medium)
client side vulnerabilities:
* CVE-2026-23530
* CVE-2026-23531
* CVE-2026-23532
* CVE-2026-23533
* CVE-2026-23534
* CVE-2026-23732
* CVE-2026-23883
* CVE-2026-23884

## What's Changed
* [client,sdl] fix monitor resolution (#12142)
* [codec,progressive] fix progressive_rfx_upgrade_block (#12143)
* Krb cache fix (#12145)
* Rdpdr improved checks (#12141)
* Codec advanced length checks (#12146)
* Glyph fix length checks (#12151)
* Wlog printf format string checks (#12150)
* [warnings,format] fix format string warnings (#12152)
* Double free fixes (#12153)
* [clang-tidy] clean up code warnings (#12154)

For a complete and detailed change log since the last release run:
git log 3.21.0...3.20.2

# 2026-01-14 Version 3.20.2

Patch release fixing a regression with gateway connections introduced with 3.20.1

## What's Changed
* Warnings and missing enumeration types (#12137)

For a complete and detailed change log since the last release run:
git log 3.20.2...3.20.1

# 2026-01-14 Version 3.20.1

New years cleanup release. Fixes some issues reported and does a cleaning sweep
to bring down warnings.
Thanks to @ehdgks0627 doing some code review/testing we've uncovered the following
(medium) vulnerabilities:
* CVE-2026-22851
* CVE-2026-22852
* CVE-2026-22853
* CVE-2026-22854
* CVE-2026-22855
* CVE-2026-22856
* CVE-2026-22857
* CVE-2026-22858
* CVE-2026-22859

These affect FreeRDP based clients only, with the exception of CVE-2026-22858
also affecting FreeRDP proxy. FreeRDP based servers are not affected.

## What's Changed
* [ci,abi] use abigail-tools from repo (#12079)
* [ci,abi] fix missing ABI suppressions (#12080)
* [ci,abi] add missing functions to suppression list (#12081)
* [core,gateway] fix http response (#12095)
* [ci,mac] build openh264 from master branch (#12104)
* [client,sdl] lock primary while used (#12103)
* [client,sdl] show file selection dialog (#12083)
* Proxy fixes (#12106)
* [core,freerdp] fix race in freerdp_abort_connect_context (#12107)
* [server,proxy] make peer_list access thread-safe and fix leaks (#12108)
* Clang warning fixes (#12109)
* Tidy nsc (#12110)
* Clang warn fixes (#12105)
* Tcp refactor (#12113)
* [enum,cast] fix implicit enum casts (#12111)
* [client,common] fix /remoteGuard (#12115)
* Coverity warning fixes (#12116)
* [channels,rdpei] properly clean up server channel (#12119)
* [core,gateway] ignore unknown http headers (#12120)
* Asan fixes (#12121, #12124, #12124)
* [crypto,base64] do proper length checks (#12122)
* [core,gcc] fix integer promotion issue (#12126)
* [core,orders] fix brush update decoding (#12130)
* [client,sdl] fix +workarea (#12131)
* [channels,rdpear] add checks for itemSize (#12127)
* Fix dead lock in smartcard when using smartcard logon with emulated smartcard (#12132)

For a complete and detailed change log since the last release run:
git log 3.20.1...3.20.0

# 2025-12-17 Version 3.20.0

## What's Changed
* Mingw fixes (#12070)
* [crypto,certificate_data] add some hostname sanitation (#12072)
* [client,common]: Fix loading of rdpsnd channel (#12074)
* [client,sdl] set touch and pen hints (#12076)

For a complete and detailed change log since the last release run:
git log 3.20.0...3.19.1

# 2025-12-12 Version 3.19.1

## What's Changed
* [core,transport] improve SSL error logging (#12045)
* [utils,helpers] fix freerdp_settings_get_legacy_config_path (#12052)
* From stdin and sdl-creds improve (#12050)
* [crypto,certificate] sanitize hostnames (#12055)
* [channels,drdynvc] propagate error in dynamic channel (#12057)
* [CMake] make Mbed-TLS and LibreSSL experimental (#12058)
* Json fix (#12060)
* rdpecam: send sample only if it's available (#12061)
* [channels,rdpecam] allow MJPEG frame skip and direct passthrough (#12059)
* [winpr,utils] explicit NULL checks in jansson WINPR_JSON_ParseWithLength (#12064)
* [packaging,flatpak] remove xprop (#12065)

For a complete and detailed change log since the last release run:
git log 3.19.1...3.19.0

# 2025-12-05 Version 3.19.0

Release addressing a regression (gateway transport failing) and some bugfixes

## What's Changed
* [ci] add git-archive ignore list (#11994)
* [client,common] fix retry counter (#11996)
* [cmake] fix aarch64 neon detection (#11998)
* Fix response body existence check when using RDP Gateway (#12002)
* fix line clipping issue (#12005)
* Clip coord fix (#12006)
* [core,input] Add debug log to keyboard state sync (#12008)
* Update command line usage for gateway option (#12011)
* [codec,ffmpeg] 8.0 dropped AV_PROFILE_AAC_MAIN (#12012)
* [channels,audin] fix pulse memory leak (#12013)
* [channels,drive] Small performance improvements in drive channel (#12014)
* [winpr,utils] fix command line error logging (#12021)
* [common,test] Adjust AVC and H264 expectations. (#12020)
* drdynvc: implement compressed packet (#12028)
* [channels,rdpecam] improve log messages (#12029)
* Fix remote credential guard channel loading (#12031)
* Fix inverted ifdef (#12032)
* [core,nego] disable all enabled modes except the one requested (#12035)
* rdpear: handle basic NTLM commands and fix server-side (#12039)
* [smartcardlogon] Fix off-by-one error in `smartcard_hw_enumerateCerts` (#12042)
* rdpecam: fix camera sample grabbing (#12041)

## New Contributors
* @kov-serg made their first contribution in (#12005)
* @alexiri made their first contribution in (#12011)
* @nteodosio made their first contribution in (#12020)

For a complete and detailed change log since the last release run:
git log 3.19.0...3.18.0

# 2025-11-12 Version 3.18.0

Minor improvements and bugfix release.
Some user visible changes:
* Fix a regression reading passwords from stdin
* Fix a timer regression (µs instead of ms)
* Improved multitouch support
* Fix a bug with PLANAR codec (used with /bpp:32 or sometimes with /gfx)
* Better error handling for ARM transport (Entra)
* Fix audio encoder lag (microphone/AAC) with FFMPEG
* Support for janssen JSON library

## What's Changed
* [core,arm] extract redirected username (#11873)
* [winpr,path] fix endianness issues (#11875)
* [cmake,pkg-config] properly set requires fields (#11876)
* [codec,planar] make test output verbose (#11877)
* [codec,planar] more test output (#11878)
* Planar fix sign (#11880)
* Entra fixes (#11881, #11882)
* Warn fixes cast (#11884)
* wst error handling (#11885)
* [winpr,json] add jansson support (#11886)
* [client,sdl] set metadata after command line parsing (#11890)
* [core,arm] add TARGET_BOOTING error code (#11889)
* [core] fix const correctness (#11891)
* [c,standard] use C99 inline (#11879)
* [winpr,pool] limit minimum threadpool size (#11897)
* Azure domain (#11892)
* [core,arm] fix TargetNetAddress size and checks (#11899)
* [winpr,json] fix a memory leak with jansson (#11901)
* Jansson fix (#11902)
* Bitmap fixes and unit tests (#11903)
* [channels,rdpecam] fix a memory leak (#11907)
* [common,settings] fix resize of TargetNetAddressess (#11905)
* Jansson ref count (#11908)
* [winpr,json] fix WINPR_JSON_AddItemToArray (#11909)
* [client,common] improve retry handling (#11910)
* Janssen version limit (#11911)
* Rdstls error code mapping (#11913)
* dsp_ffmpeg: fix latency buildup during resampling (#11912)
* [core,rdstls] improve logging (#11914)
* [client,common] fix parsing of enablerdsaadauth (#11915)
* Codec stringify (#11918)
* [core,tcp] fix a regression (#11919)
* [core,timer] fix reschedule interval (#11921)
* [winpr,timezone] update dotnet version for tzextract (#11927)
* [timezones] Update definitions by @github-actions[bot] in (#11928)
* [winpr,synch] Yield after a poll timeout in emscripten (#11929)
* [channels,audin] fix a leak in pulse backend (#11933)
* [crypto,x509] add missing OpenSSL include for d2i_RSA_PSS_PARAMS (#11942)
* [client,android] fix wrong type of variable (#11945)
* Revert smart sizing (#11946)
* Align width and height for AVC444 decoding to 32 (#11930)
* [crypto,tls] make cert warning more accurate (#11947)
* [core,timer] ensure all scheduled timers are handled (#11948)
* Fix build and run with optional channels (#11941)
* [channels,rdpei] fix not sending essential touch events (#11955)
* [CMake] mark WITH_VAAPI experimental (#11956)
* Config extension (#11961)
* [winpr,synch] Fix starvation in pollset_poll caused by emscripten_sleep (#11962)
* [utils] fix from-stdin (#11965)
* [client,x11] log mouse event types and call stack (#11966)
* libfreerdp: remove SIGUSR1 and SIGUSR2 from fatal signals (#11968)
* [input, virtualkey] Add Korean keys in XKB_KEYNAME_TABLE (#11977)
* [cache,glyph] overallocate to compensate for off by one (#11980)
* [client,common] improve multitouch mouse emulation (#11970)
* [core,gateway] improve response cookie handling (#11971)
* Revert "[core,gateway] improve arm transport" (#11983)
* Http request improvements (#11984)
* Log improve (#11985)
* [client,sdl] sdl2 dialog auth: remove std::move (#11986)

## New Contributors
* @FriederHannenheim made their first contribution in (#11912)
* @ploosin made their first contribution in (#11955)

For a complete and detailed change log since the last release run:
git log 3.18.0...3.17.2

# 2025-09-19 Version 3.17.2

Minor improvements and bugfix release.
Most notably resource usage (file handles) has been greatly reduced and
static build pkg-config have been fixed.
For users of xfreerdp RAILS/RemoteApp mode the switch to DesktopSession
mode has been fixed (working UAC screen)

## What's Changed
* Findfirst fix (#11833)
* [channels,drive] tolerate drive_file_set_disposition_information (#11834)
* endianness fixes (#11835)
* fix(winpr): ncrypt_pkcs11: set correct PIV certificate labels (#11837)
* [cmake] fix versioning regression (#11832)
* Limit threadpool (#11840)
* [winpr,path] fix missing length check (#11841)
* [proxy,channels] better NULL checks (#11842)
* [codec,yuv] wrap step calculation (#11843)
* [winpr,sspi] log mechanisms not valid (#11844)
* settings: remove duplicate setting of GatewayAvdScope (#11845)
* [client,sdl] improve clipboard logging (#11849)
* rdpecam: add some new callbacks to the HAL (#11851)
* [proxy,modules] generate pkg-config files for modules (#11848)
* [cmake] static build: populate private (#11852)
* [proxy,modules] extend dynamic module loader (#11854)
* [winpr,threadpool] default minimum thread count (#11855)
* [core,tcp] unify setting of TCP_NODELAY (#11856)
* Planar fix (#11857)
* Fix quote parsing (#11858)
* Sdl mod: disable hotkeys (#11862)
* Aad auth fail (#11863)
* [clients] add checks from #11804 to all clients (#11865)
* [client,x11] fix rails/desktop switch (#11866)
* [client,x11] disable output during rail/desktop switch (#11867)
* [core,gateway] automatically accept ARM redirection (#11870)
* Update android deps (#11871)

## New Contributors
* @TheBestTvarynka made their first contribution in #11837)

For a complete and detailed change log since the last release run:
git log 3.17.2...3.17.1

# 2025-09-01 Version 3.17.1

Minor improvements and bugfix release.

* most notably a memory leak was addressed
* fixed header files missing C++ guards
* xfreerdp as well as the SDL clients now support a system wide configuration file
* Heimdal kerberos support was improved
* builds with [MS-RDPEAR] now properly abort at configure if Heimdal is used
  (this configuration was never supported, so ensure nobody compiles it that way)

## What's Changed
* [client,sdl] always set sdl->windows_created (#11807)
* [winpr,synch] increase timeout for TestSynchCritical (#11808)
* Enable RDPECAM client in flatpak release (#11809)
* [proxy,channels] refactor dynamic channel (#11812)
* [core,settings] fix ReceivedCapabilities reset (#11814)
* Freebsd build fixes (#11815)
* [client,sdl] disable connection dialog (#11820)
* audin_oss: do not reset mic volume on capture start (#11822)
* add-x11-config-file (#11823)
* [client,sdl] fix global config evaluation (#11825)
* [sspi,negotiate] improve /auth-pkg-list parsing (#11826)
* Geometry channel fixes (#)11828)
* core/redirection: Ensure stream has enough space for all parameters (#11830)

## New Contributors
* @omatasas made their first contribution in #11787
* @sharkcz made their first contribution in #11808
* @cvpcs made their first contribution in #11809
* @Defenso-QTH made their first contribution in #11822

For a complete and detailed change log since the last release run:
git log 3.17.1...3.17.0

# 2025-08-22 Version 3.17.0

Bugfix release with (lots) of format string issues along with a few minor parser
issues fixed. Most notable (user visible) change is full X509 chain support for
client/server.

## What's Changed
* [client,sdl2] fix build with webview (#11685)
* [core,nla] use wcslen for password length (#11687)
* Clear channel error prior to call channel init event proc (#11688)
* Warn args (#11689)
* [client,common] fix -mouse-motion (#11690)
* [core,proxy] fix IPv4 and IPv6 length (#11692)
* Regression fix2 (#11696)
* Log fixes (#11693)
* [common,settings] fix int casts (#11699)
* [core,connection] fix log level of several messages (#11697)
* [client,sdl] print current video driver (#11701)
* [crypto,tls] print big warning for /cert:ignore (#11704)
* [client,desktop] fix StartupWMClass setting (#11708)
* [cmake] unify version creation (#11711)
* [common,settings] force reallocation on caps copy (#11715)
* [manpages] Add example of keyboard remapping (#11718)
* Some fixes in Negotiate and NLA (#11722)
* [client,x11] fix clipboard issues (#11724)
* kerberos: do various tries for TGT retrieval in u2u (#11723)
* Cmdline escape strings (#11735)
* [winpr,utils] do not log command line arguments (#11736)
* [api,doc] Add stylesheed for doxygen (#11738)
* [core,proxy] fix BIO read methods (#11739)
* [client,common] fix sso_mib_get_access_token return value in error case (#11741)
* [crypto,tls] do not use context->settings->instance (#11749)
* winpr: re-introduce the credentials module (#11734)
* [winpr,timezone] ensure thread-safe initialization (#11754)
* core/redirection: Ensure stream has enough space for the certificate (#11762)
* [client,common] do not log success (#11766)
* Clean up bugs exposed on systems with high core counts (#11761)
* [cmake] add installWithRPATH (#11747)
* [clang-tidy] fix various warnings (#11769)
* Wlog improve type checks (#11774)
* [client,common] fix tenantid command line parsing (#11779)
* Proxy module static and shared linking support (#11768)
* LoadLibrary Null fix (#11786)
* [client,common] add freerdp_client_populate_settings_from_rdp_file_un… (#11780)
* Fullchain support (#11787)
* [client,x11] ignore floatbar events (#11771)
* [winpr,credentials] prefer utf-8 over utf-16-LE #11790
* [proxy,modules] ignore bitmap-filter skip remaining #11789

## New Contributors
* @steelman made their first contribution in #11718
* @pvachon made their first contribution in #11761

For a complete and detailed change log since the last release run:
git log 3.17.0...3.16.0

# 2025-06-16 Version 3.16.0

Bugfix release with (again) much improved SDL3 and X11 client

## What's Changed
* Lots of improvements for the SDL3 client (#11502,#11504,#11516,#11546,#11552,
  #11553,#11556,#11560,#11568,#11587,#11613,#11643,#11635,#11648,#11653,#11654,
  #11661)
* Various X11 client improvements (#11619,#11612,#11620,#11624,#11625,#11660)
* Various Ci build fixes (#11543,#11554,#11570,#11571,#11575,#11577,#11579,
  #11580,#11581,#11582,#11583,#11584,#11585,#11586)
* [utils,smartcard] Better logging and handling of output buffer too small
  (#11503,#11565,#11636)
* Add a timer implementation (#11578,#11592,#11615)
* Various bugfixed for drive channel (#11569,#11601,#11637,#11647,#11659)
* add login through MS identity broker via sso-mib interface (#11600,#11608)
* Update flatpak build script in repo (#11609,#11610,#11621,#11670)
* Various AAD/Azure/Entra improvements (#11606,#11607,#11371,#11518)
* YUV420 primitives fixes (#11673,#11539)
* GCC Fixes (#11538)
* [core,settings] fix freerdp_device_collection_add (#11533)
* [core,proxy] detect address type (#11534)
* [core,test] refactor TestSettings (#11558)
* [core,test] improve settings test log (#11559)
* [core,activation] skip sending PDU_TYPE_DEACTIVATE_ALL (#11603)
* [core,transport] only free userContext if userContextSize > 0 (#11642)
* [core,info] Allow INFO_HIDEF_RAIL_SUPPORTED with RDP version RDP_VERS… (#11652)
* [core,gcc] use dynamic logger from rdpMcs (#11669)
* [core,settings] default MonitorIds size to MonitorDefArray size (#11671)
* Rdp security fixes (#11506)
* rdpei/server: Fix incorrect PDU length read (#11510)
* [winpr] Put '\0' when converting empty string to wstr (#11511)
* [common,settings] new settings (de)serialization API (#11508)
* [cache,glyph] fix GLYPH_FRAGMENT_USE (#11517)
* [winpr,sysinfo] use a single clock to provide System and Local time (#11520)
* [common,settings] fix add_string_or_null (#11522)
* Compiler warning fixes (#11523)
* fix [resources]: remove MimeType from desktop file (#11525)
* gcc: fix server-side connection with multiple monitor (#11527)
* [rdpsnd/client] add parameters to pulse snd device plugin (#11530)
* [crypto,key] do not deprecate new_from* (#11535)
* [winpr,file] Fix assert fail always when removing flags (#11540)
* FF_PROFILE Depreciation (#11542)
* [cmake] Fix finding ffmpeg under nonstandard prefixes (#11548)
* [client,android] update (#11555)
* Support 'Restrict Credential Delegation' mode (#11547)
* Support NLA in shadow server when running behind a Hyper-V proxy (#11549)
* [winpr,file] Add implementation of FileFlushFileBuffers (#11566)
* [winpr,file] add TestFileWriteFile testcase (#11567)
* [channels,rdpdr] expose device add/remove for clients (#11564)
* Deb & RPM update (#11572)
* Transport fix (#11573)
* [winpr,sspi] add kerberos string len checks (#11590)
* [winpr,sspi] assert kerberos principal (#11591)
* [channels,video] fix NULL dereference (#11597)
* Reconnect strict (#11599)
* [rdpdr,hotplug] fix passing of device::Id back to caller (#11617)
* [client,common] lock clipboard on update (#11618)
* [client,cliprdr] refactor file clipboard (#11627)
* [winpr,wtypes] align BOOL typedef with objc.h header (#11632)
* [stream] reset pool array size after clearing (#11631)
* fix compile errors: xfc not defined even if with WITH_XCURSOR=ON (#11629)
* [utils,helpers] add missing WINPR_ATTR_MALLOC (#11633)
* JSON configuration helpers (#11634)
* [client,common] (re)initialize fuse root in cliprdr_file_context_init (#11646)
* [WaitForXXObject] use infinite timeout where possible (#11651)
* [channels,printer] fix missing include (#11663)
* [winpr,file] fix definition of winpr_CreateFile (#11664)

## New Contributors
* @lazy5f made their first contribution in #11511
* @EndlessEden made their first contribution in #11542
* @thestr4ng3r made their first contribution in #11548
* @ljaeh0121 made their first contribution in #11566
* @rupran made their first contribution in #11600
