diff --git a/SOURCES/channel-rdpsnd-only-clean-up-thread-before-free.patch b/SOURCES/channel-rdpsnd-only-clean-up-thread-before-free.patch
new file mode 100644
index 0000000..6ae981a
--- /dev/null
+++ b/SOURCES/channel-rdpsnd-only-clean-up-thread-before-free.patch
@@ -0,0 +1,117 @@
+From b96bfa485a286335bcb4c698fa6490fb4a98b9e6 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 13 Mar 2026 15:47:11 +0100
+Subject: [PATCH] [channel,rdpsnd] only clean up thread before free
+
+Backport of commit afa6851dc80835d3101e40fcef51b6c5c0f43ea5.
+
+Made-with: Cursor
+---
+ channels/rdpsnd/client/rdpsnd_main.c | 37 ++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/channels/rdpsnd/client/rdpsnd_main.c b/channels/rdpsnd/client/rdpsnd_main.c
+index c7660a857..576e065d2 100644
+--- a/channels/rdpsnd/client/rdpsnd_main.c
++++ b/channels/rdpsnd/client/rdpsnd_main.c
+@@ -133,6 +133,8 @@ struct rdpsnd_plugin
+ 	BOOL applyVolume;
+ };
+ 
++static DWORD WINAPI play_thread(LPVOID arg);
++
+ static const char* rdpsnd_is_dyn_str(BOOL dynamic)
+ {
+ 	if (dynamic)
+@@ -1267,7 +1269,6 @@ static void cleanup_internals(rdpsndPlugin* rdpsnd)
+ 	if (!rdpsnd)
+ 		return;
+ 
+-	rdpsnd_terminate_thread(rdpsnd);
+ 	if (rdpsnd->pool)
+ 		StreamPool_Return(rdpsnd->pool, rdpsnd->data_in);
+ 
+@@ -1331,6 +1332,7 @@ static void free_internals(rdpsndPlugin* rdpsnd)
+ 	if (!rdpsnd)
+ 		return;
+ 
++	rdpsnd_terminate_thread(rdpsnd);
+ 	freerdp_dsp_context_free(rdpsnd->dsp_context);
+ 	StreamPool_Free(rdpsnd->pool);
+ 	rdpsnd->pool = NULL;
+@@ -1353,6 +1355,23 @@ static BOOL allocate_internals(rdpsndPlugin* rdpsnd)
+ 			return FALSE;
+ 	}
+ 
++	if (!rdpsnd->queue)
++	{
++		wObject obj = { 0 };
++
++		obj.fnObjectFree = _queue_free;
++		rdpsnd->queue = MessageQueue_New(&obj);
++		if (!rdpsnd->queue)
++			return FALSE;
++	}
++
++	if (!rdpsnd->thread)
++	{
++		rdpsnd->thread = CreateThread(NULL, 0, play_thread, rdpsnd, 0, NULL);
++		if (!rdpsnd->thread)
++			return FALSE;
++	}
++
+ 	return TRUE;
+ }
+ 
+@@ -1391,23 +1410,12 @@ static DWORD WINAPI play_thread(LPVOID arg)
+ 
+ static UINT rdpsnd_virtual_channel_event_initialized(rdpsndPlugin* rdpsnd)
+ {
+-	wObject obj = { 0 };
+-
+ 	if (!rdpsnd)
+ 		return ERROR_INVALID_PARAMETER;
+ 
+-	obj.fnObjectFree = _queue_free;
+-	rdpsnd->queue = MessageQueue_New(&obj);
+-	if (!rdpsnd->queue)
+-		return CHANNEL_RC_NO_MEMORY;
+-
+ 	if (!allocate_internals(rdpsnd))
+ 		return CHANNEL_RC_NO_MEMORY;
+ 
+-	rdpsnd->thread = CreateThread(NULL, 0, play_thread, rdpsnd, 0, NULL);
+-	if (!rdpsnd->thread)
+-		return CHANNEL_RC_INITIALIZATION_ERROR;
+-
+ 	return CHANNEL_RC_OK;
+ }
+ 
+@@ -1415,8 +1423,6 @@ void rdpsnd_virtual_channel_event_terminated(rdpsndPlugin* rdpsnd)
+ {
+ 	if (rdpsnd)
+ 	{
+-		rdpsnd_terminate_thread(rdpsnd);
+-
+ 		free_internals(rdpsnd);
+ 		audio_formats_free(rdpsnd->fixed_format, 1);
+ 		free(rdpsnd->subsystem);
+@@ -1604,14 +1610,13 @@ static UINT rdpsnd_on_close(IWTSVirtualChannelCallback* pChannelCallback)
+ 		IFCALL(rdpsnd->device->Close, rdpsnd->device);
+ 
+ 	cleanup_internals(rdpsnd);
+-
++	free_internals(rdpsnd);
+ 	if (rdpsnd->device)
+ 	{
+ 		IFCALL(rdpsnd->device->Free, rdpsnd->device);
+ 		rdpsnd->device = NULL;
+ 	}
+ 
+-	free_internals(rdpsnd);
+ 	free(pChannelCallback);
+ 	return CHANNEL_RC_OK;
+ }
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-ainput-lock-context-when-updating-listener.patch b/SOURCES/channels-ainput-lock-context-when-updating-listener.patch
new file mode 100644
index 0000000..c12b07a
--- /dev/null
+++ b/SOURCES/channels-ainput-lock-context-when-updating-listener.patch
@@ -0,0 +1,132 @@
+From 6bf4e2558861e06fd68ef8036796ff475a1c23fa Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 13 Mar 2026 15:24:09 +0100
+Subject: [PATCH] [channels,ainput] lock context when updating listener
+
+Backport of commit d9ca272dce7a776ab475e9b1a8e8c3d2968c8486.
+
+Made-with: Cursor
+---
+ channels/ainput/client/ainput_main.c | 38 ++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/channels/ainput/client/ainput_main.c b/channels/ainput/client/ainput_main.c
+index d8eb8ec59..ff901d2a0 100644
+--- a/channels/ainput/client/ainput_main.c
++++ b/channels/ainput/client/ainput_main.c
+@@ -28,6 +28,7 @@
+ #include <winpr/crt.h>
+ #include <winpr/assert.h>
+ #include <winpr/stream.h>
++#include <winpr/synch.h>
+ #include <winpr/sysinfo.h>
+ 
+ #include "ainput_main.h"
+@@ -69,6 +70,7 @@ struct AINPUT_PLUGIN_
+ 	UINT32 MajorVersion;
+ 	UINT32 MinorVersion;
+ 	BOOL initialized;
++	CRITICAL_SECTION lock;
+ };
+ 
+ /**
+@@ -109,10 +111,7 @@ static UINT ainput_on_data_received(IWTSVirtualChannelCallback* pChannelCallback
+ 
+ static UINT ainput_send_input_event(AInputClientContext* context, UINT64 flags, INT32 x, INT32 y)
+ {
+-	AINPUT_PLUGIN* ainput;
+-	AINPUT_CHANNEL_CALLBACK* callback;
+ 	BYTE buffer[32] = { 0 };
+-	UINT64 time;
+ 	wStream sbuffer = { 0 };
+ 	wStream* s = &sbuffer;
+ 
+@@ -121,8 +120,8 @@ static UINT ainput_send_input_event(AInputClientContext* context, UINT64 flags,
+ 	WINPR_ASSERT(s);
+ 	WINPR_ASSERT(context);
+ 
+-	time = GetTickCount64();
+-	ainput = (AINPUT_PLUGIN*)context->handle;
++	const UINT64 time = GetTickCount64();
++	AINPUT_PLUGIN* ainput = (AINPUT_PLUGIN*)context->handle;
+ 	WINPR_ASSERT(ainput);
+ 	WINPR_ASSERT(ainput->listener_callback);
+ 
+@@ -132,8 +131,6 @@ static UINT ainput_send_input_event(AInputClientContext* context, UINT64 flags,
+ 		          ainput->MajorVersion, ainput->MinorVersion);
+ 		return CHANNEL_RC_UNSUPPORTED_VERSION;
+ 	}
+-	callback = ainput->listener_callback->channel_callback;
+-	WINPR_ASSERT(callback);
+ 
+ 	{
+ 		char buffer[128] = { 0 };
+@@ -152,10 +149,15 @@ static UINT ainput_send_input_event(AInputClientContext* context, UINT64 flags,
+ 	Stream_SealLength(s);
+ 
+ 	/* ainput back what we have received. AINPUT does not have any message IDs. */
++	EnterCriticalSection(&ainput->lock);
++	AINPUT_CHANNEL_CALLBACK* callback = ainput->listener_callback->channel_callback;
++	WINPR_ASSERT(callback);
+ 	WINPR_ASSERT(callback->channel);
+ 	WINPR_ASSERT(callback->channel->Write);
+-	return callback->channel->Write(callback->channel, (ULONG)Stream_Length(s), Stream_Buffer(s),
+-	                                NULL);
++	const UINT rc = callback->channel->Write(callback->channel, (ULONG)Stream_Length(s),
++	                                         Stream_Buffer(s), NULL);
++	LeaveCriticalSection(&ainput->lock);
++	return rc;
+ }
+ 
+ /**
+@@ -167,8 +169,16 @@ static UINT ainput_on_close(IWTSVirtualChannelCallback* pChannelCallback)
+ {
+ 	AINPUT_CHANNEL_CALLBACK* callback = (AINPUT_CHANNEL_CALLBACK*)pChannelCallback;
+ 
+-	free(callback);
++	if (callback)
++	{
++		AINPUT_PLUGIN* ainput = (AINPUT_PLUGIN*)callback->plugin;
++		WINPR_ASSERT(ainput);
+ 
++		/* Lock here to ensure that no ainput_send_input_event is in progress. */
++		EnterCriticalSection(&ainput->lock);
++		free(callback);
++		LeaveCriticalSection(&ainput->lock);
++	}
+ 	return CHANNEL_RC_OK;
+ }
+ 
+@@ -255,6 +265,7 @@ static UINT ainput_plugin_initialize(IWTSPlugin* pPlugin, IWTSVirtualChannelMana
+ static UINT ainput_plugin_terminated(IWTSPlugin* pPlugin)
+ {
+ 	AINPUT_PLUGIN* ainput = (AINPUT_PLUGIN*)pPlugin;
++
+ 	if (ainput && ainput->listener_callback)
+ 	{
+ 		IWTSVirtualChannelManager* mgr = ainput->listener_callback->channel_mgr;
+@@ -263,6 +274,7 @@ static UINT ainput_plugin_terminated(IWTSPlugin* pPlugin)
+ 	}
+ 	if (ainput)
+ 	{
++		DeleteCriticalSection(&ainput->lock);
+ 		free(ainput->listener_callback);
+ 		free(ainput->iface.pInterface);
+ 	}
+@@ -306,8 +318,12 @@ UINT DVCPluginEntry(IDRDYNVC_ENTRY_POINTS* pEntryPoints)
+ 
+ 		context->handle = (void*)ainput;
+ 		context->AInputSendInputEvent = ainput_send_input_event;
+-		ainput->iface.pInterface = (void*)context;
+ 
++		InitializeCriticalSection(&ainput->lock);
++
++		EnterCriticalSection(&ainput->lock);
++		ainput->iface.pInterface = (void*)context;
++		LeaveCriticalSection(&ainput->lock);
+ 		status = pEntryPoints->RegisterPlugin(pEntryPoints, AINPUT_CHANNEL_NAME, &ainput->iface);
+ 	}
+ 
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-audin-free-up-old-audio-formats.patch b/SOURCES/channels-audin-free-up-old-audio-formats.patch
new file mode 100644
index 0000000..b3ccc0b
--- /dev/null
+++ b/SOURCES/channels-audin-free-up-old-audio-formats.patch
@@ -0,0 +1,27 @@
+From cd1ffa112cfbe1b40a9fd57e299a8ea12e23df0d Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Sat, 10 Jan 2026 08:36:38 +0100
+Subject: [PATCH] [channels,audin] free up old audio formats
+
+---
+ channels/audin/client/audin_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/channels/audin/client/audin_main.c b/channels/audin/client/audin_main.c
+index bcaf1a646..b4c8ba580 100644
+--- a/channels/audin/client/audin_main.c
++++ b/channels/audin/client/audin_main.c
+@@ -206,6 +206,10 @@ static UINT audin_process_formats(AUDIN_PLUGIN* audin, AUDIN_CHANNEL_CALLBACK* c
+ 	}
+ 
+ 	Stream_Seek_UINT32(s); /* cbSizeFormatsPacket */
++
++	audio_formats_free(callback->formats, callback->formats_count);
++	callback->formats_count = 0;
++
+ 	callback->formats = audio_formats_new(NumFormats);
+ 
+ 	if (!callback->formats)
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-audin-reset-audin-format.patch b/SOURCES/channels-audin-reset-audin-format.patch
new file mode 100644
index 0000000..a04cee4
--- /dev/null
+++ b/SOURCES/channels-audin-reset-audin-format.patch
@@ -0,0 +1,33 @@
+From fa33edf53a2087c106b2801745bdff0f4a589425 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 10:20:23 +0100
+Subject: [PATCH] [channels,audin] reset audin->format
+
+Whenever the underlying structure changes reset the pointer to NULL
+---
+ channels/audin/client/audin_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/channels/audin/client/audin_main.c b/channels/audin/client/audin_main.c
+index 5ffe09127..332aef9da 100644
+--- a/channels/audin/client/audin_main.c
++++ b/channels/audin/client/audin_main.c
+@@ -220,6 +220,7 @@ static UINT audin_process_formats(AUDIN_PLUGIN* audin, AUDIN_CHANNEL_CALLBACK* c
+ 
+ 	Stream_Seek_UINT32(s); /* cbSizeFormatsPacket */
+ 
++	audin->format = NULL;
+ 	audio_formats_free(callback->formats, callback->formats_count);
+ 	callback->formats_count = 0;
+ 
+@@ -297,6 +298,7 @@ out:
+ 
+ 	if (error != CHANNEL_RC_OK)
+ 	{
++		audin->format = NULL;
+ 		audio_formats_free(callback->formats, NumFormats);
+ 		callback->formats = NULL;
+ 	}
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-drdynvc-reset-channel_callback-before-close.patch b/SOURCES/channels-drdynvc-reset-channel_callback-before-close.patch
new file mode 100644
index 0000000..6c36ddd
--- /dev/null
+++ b/SOURCES/channels-drdynvc-reset-channel_callback-before-close.patch
@@ -0,0 +1,34 @@
+From 7865a2832ebdfd04374c787c917b3ea7f078ba2c Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Wed, 11 Mar 2026 16:55:44 +0100
+Subject: [PATCH] [channels,drdynvc] reset channel_callback before close
+
+Backport of commit e02e052f6692550e539d10f99de9c35a23492db2.
+
+Made-with: Cursor
+---
+ channels/drdynvc/client/drdynvc_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/channels/drdynvc/client/drdynvc_main.c b/channels/drdynvc/client/drdynvc_main.c
+index b2005a903..0a4af7179 100644
+--- a/channels/drdynvc/client/drdynvc_main.c
++++ b/channels/drdynvc/client/drdynvc_main.c
+@@ -346,10 +346,11 @@ static void dvcman_channel_free(void* arg)
+ 
+ 	if (channel)
+ 	{
+-		if (channel->channel_callback)
++		IWTSVirtualChannelCallback* cb = channel->channel_callback;
++		channel->channel_callback = NULL;
++		if (cb)
+ 		{
+-			IFCALL(channel->channel_callback->OnClose, channel->channel_callback);
+-			channel->channel_callback = NULL;
++			IFCALL(cb->OnClose, cb);
+ 		}
+ 
+ 		if (channel->status == CHANNEL_RC_OK)
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-drive-fix-constant-type.patch b/SOURCES/channels-drive-fix-constant-type.patch
new file mode 100644
index 0000000..9bf0c8a
--- /dev/null
+++ b/SOURCES/channels-drive-fix-constant-type.patch
@@ -0,0 +1,26 @@
+From 3da319570c8a6be0a79b3306f1ed354c4a943259 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 12 Jan 2026 03:44:06 +0100
+Subject: [PATCH] [channels,drive] fix constant type
+
+ensure constant is of 64bit integer type
+---
+ channels/drive/client/drive_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/channels/drive/client/drive_main.c b/channels/drive/client/drive_main.c
+index 1dce5c348..13188fbc6 100644
+--- a/channels/drive/client/drive_main.c
++++ b/channels/drive/client/drive_main.c
+@@ -302,7 +302,7 @@ static UINT drive_process_irp_read(DRIVE_DEVICE* drive, IRP* irp)
+ 		Length = 0;
+ 	}
+ 
+-	if (!Stream_EnsureRemainingCapacity(irp->output, Length + 4))
++	if (!Stream_EnsureRemainingCapacity(irp->output, 4ull + Length))
+ 	{
+ 		WLog_ERR(TAG, "Stream_EnsureRemainingCapacity failed!");
+ 		return ERROR_INTERNAL_ERROR;
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-rdpsnd-terminate-thread-before-free.patch b/SOURCES/channels-rdpsnd-terminate-thread-before-free.patch
new file mode 100644
index 0000000..56b3f27
--- /dev/null
+++ b/SOURCES/channels-rdpsnd-terminate-thread-before-free.patch
@@ -0,0 +1,73 @@
+From c9f2b4222cf51a259b77ed4e83c45f6a08884cb8 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 13 Mar 2026 15:46:17 +0100
+Subject: [PATCH] [channels,rdpsnd] terminate thread before free
+
+Backport of commit 622bb7b4402491ca003f47472d0e478132673696.
+
+Made-with: Cursor
+---
+ channels/rdpsnd/client/rdpsnd_main.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/channels/rdpsnd/client/rdpsnd_main.c b/channels/rdpsnd/client/rdpsnd_main.c
+index 3de4cbc66..c7660a857 100644
+--- a/channels/rdpsnd/client/rdpsnd_main.c
++++ b/channels/rdpsnd/client/rdpsnd_main.c
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <errno.h>
+ 
++#include <winpr/assert.h>
+ #include <winpr/crt.h>
+ #include <winpr/wlog.h>
+ #include <winpr/stream.h>
+@@ -1244,11 +1245,29 @@ fail:
+ 	return CHANNEL_RC_NO_MEMORY;
+ }
+ 
++static void rdpsnd_terminate_thread(rdpsndPlugin* rdpsnd)
++{
++	WINPR_ASSERT(rdpsnd);
++	if (rdpsnd->queue)
++		MessageQueue_PostQuit(rdpsnd->queue, 0);
++
++	if (rdpsnd->thread)
++	{
++		(void)WaitForSingleObject(rdpsnd->thread, INFINITE);
++		(void)CloseHandle(rdpsnd->thread);
++	}
++
++	MessageQueue_Free(rdpsnd->queue);
++	rdpsnd->thread = NULL;
++	rdpsnd->queue = NULL;
++}
++
+ static void cleanup_internals(rdpsndPlugin* rdpsnd)
+ {
+ 	if (!rdpsnd)
+ 		return;
+ 
++	rdpsnd_terminate_thread(rdpsnd);
+ 	if (rdpsnd->pool)
+ 		StreamPool_Return(rdpsnd->pool, rdpsnd->data_in);
+ 
+@@ -1396,14 +1415,7 @@ void rdpsnd_virtual_channel_event_terminated(rdpsndPlugin* rdpsnd)
+ {
+ 	if (rdpsnd)
+ 	{
+-		if (rdpsnd->queue)
+-			MessageQueue_PostQuit(rdpsnd->queue, 0);
+-		if (rdpsnd->thread)
+-		{
+-			WaitForSingleObject(rdpsnd->thread, INFINITE);
+-			CloseHandle(rdpsnd->thread);
+-		}
+-		MessageQueue_Free(rdpsnd->queue);
++		rdpsnd_terminate_thread(rdpsnd);
+ 
+ 		free_internals(rdpsnd);
+ 		audio_formats_free(rdpsnd->fixed_format, 1);
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-serial-explicitly-lock-serial-IrpThreads.patch b/SOURCES/channels-serial-explicitly-lock-serial-IrpThreads.patch
new file mode 100644
index 0000000..2e411cf
--- /dev/null
+++ b/SOURCES/channels-serial-explicitly-lock-serial-IrpThreads.patch
@@ -0,0 +1,55 @@
+From c0283812c918c7738facafac52cf51d916536138 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 10 Mar 2026 08:47:57 +0100
+Subject: [PATCH] [channels,serial] explicitly lock serial->IrpThreads
+
+Backport of commit 675c20f08f32ca5ec06297108bdf30147d6e2cd9.
+
+Made-with: Cursor
+---
+ channels/serial/client/serial_main.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/channels/serial/client/serial_main.c b/channels/serial/client/serial_main.c
+index d76d725f1..c8a27c46c 100644
+--- a/channels/serial/client/serial_main.c
++++ b/channels/serial/client/serial_main.c
+@@ -597,7 +597,10 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
+ 	 * observed with FreeRDP).
+ 	 */
+ 	key = irp->CompletionId;
++
++	ListDictionary_Lock(serial->IrpThreads);
+ 	previousIrpThread = ListDictionary_GetItemValue(serial->IrpThreads, (void*)key);
++	ListDictionary_Unlock(serial->IrpThreads);
+ 
+ 	if (previousIrpThread)
+ 	{
+@@ -678,6 +681,7 @@ static void terminate_pending_irp_threads(SERIAL_DEVICE* serial)
+ {
+ 	ULONG_PTR* ids;
+ 	int i, nbIds;
++	ListDictionary_Lock(serial->IrpThreads);
+ 	nbIds = ListDictionary_GetKeys(serial->IrpThreads, &ids);
+ 	WLog_Print(serial->log, WLOG_DEBUG, "Terminating %d IRP thread(s)", nbIds);
+ 
+@@ -699,6 +703,7 @@ static void terminate_pending_irp_threads(SERIAL_DEVICE* serial)
+ 	}
+ 
+ 	ListDictionary_Clear(serial->IrpThreads);
++	ListDictionary_Unlock(serial->IrpThreads);
+ 	free(ids);
+ }
+ 
+@@ -932,7 +937,7 @@ UINT DeviceServiceEntry(PDEVICE_SERVICE_ENTRY_POINTS pEntryPoints)
+ 		}
+ 
+ 		/* IrpThreads content only modified by create_irp_thread() */
+-		serial->IrpThreads = ListDictionary_New(TRUE);
++		serial->IrpThreads = ListDictionary_New(FALSE);
+ 
+ 		if (!serial->IrpThreads)
+ 		{
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-serial-lock-list-dictionary.patch b/SOURCES/channels-serial-lock-list-dictionary.patch
new file mode 100644
index 0000000..41bc331
--- /dev/null
+++ b/SOURCES/channels-serial-lock-list-dictionary.patch
@@ -0,0 +1,89 @@
+From 7cf742159bd2675366c7187c4bc51018b548d228 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 10 Mar 2026 08:47:45 +0100
+Subject: [PATCH] [channels,serial] lock list dictionary
+
+Backport of commit b35aa3614d32bff3fc1272cd7c4617f711fca1a4.
+
+Made-with: Cursor
+---
+ channels/serial/client/serial_main.c | 35 ++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/channels/serial/client/serial_main.c b/channels/serial/client/serial_main.c
+index afe67b4d3..d76d725f1 100644
+--- a/channels/serial/client/serial_main.c
++++ b/channels/serial/client/serial_main.c
+@@ -540,6 +540,7 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
+ 		HANDLE irpThread;
+ 		ULONG_PTR* ids;
+ 		int i, nbIds;
++		ListDictionary_Lock(serial->IrpThreads);
+ 		nbIds = ListDictionary_GetKeys(serial->IrpThreads, &ids);
+ 
+ 		for (i = 0; i < nbIds; i++)
+@@ -581,6 +582,7 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
+ 		}
+ 
+ 		free(ids);
++		ListDictionary_Unlock(serial->IrpThreads);
+ 	}
+ 
+ 	LeaveCriticalSection(&serial->TerminatingIrpThreadsLock);
+@@ -621,19 +623,6 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
+ 		return;
+ 	}
+ 
+-	if (ListDictionary_Count(serial->IrpThreads) >= MAX_IRP_THREADS)
+-	{
+-		WLog_Print(serial->log, WLOG_WARN,
+-		           "Number of IRP threads threshold reached: %d, keep on anyway",
+-		           ListDictionary_Count(serial->IrpThreads));
+-		assert(FALSE); /* unimplemented */
+-		               /* TODO: MAX_IRP_THREADS has been thought to avoid a
+-		                * flooding of pending requests. Use
+-		                * WaitForMultipleObjects() when available in winpr
+-		                * for threads.
+-		                */
+-	}
+-
+ 	/* error_handle to be used ... */
+ 	data = (IRP_THREAD_DATA*)calloc(1, sizeof(IRP_THREAD_DATA));
+ 
+@@ -656,7 +645,23 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
+ 
+ 	key = irp->CompletionId;
+ 
+-	if (!ListDictionary_Add(serial->IrpThreads, (void*)key, irpThread))
++	ListDictionary_Lock(serial->IrpThreads);
++	if (ListDictionary_Count(serial->IrpThreads) >= MAX_IRP_THREADS)
++	{
++		WLog_Print(serial->log, WLOG_WARN,
++		           "Number of IRP threads threshold reached: %d, keep on anyway",
++		           ListDictionary_Count(serial->IrpThreads));
++		assert(FALSE); /* unimplemented */
++		               /* TODO: MAX_IRP_THREADS has been thought to avoid a
++		                * flooding of pending requests. Use
++		                * WaitForMultipleObjects() when available in winpr
++		                * for threads.
++		                */
++	}
++	const BOOL added = ListDictionary_Add(serial->IrpThreads, (void*)key, irpThread);
++	ListDictionary_Unlock(serial->IrpThreads);
++
++	if (!added)
+ 	{
+ 		WLog_ERR(TAG, "ListDictionary_Add failed!");
+ 		goto error_handle;
+@@ -927,7 +932,7 @@ UINT DeviceServiceEntry(PDEVICE_SERVICE_ENTRY_POINTS pEntryPoints)
+ 		}
+ 
+ 		/* IrpThreads content only modified by create_irp_thread() */
+-		serial->IrpThreads = ListDictionary_New(FALSE);
++		serial->IrpThreads = ListDictionary_New(TRUE);
+ 
+ 		if (!serial->IrpThreads)
+ 		{
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-urbdrc-cancel-all-usb-transfers-on-channel-.patch b/SOURCES/channels-urbdrc-cancel-all-usb-transfers-on-channel-.patch
new file mode 100644
index 0000000..0fccb7d
--- /dev/null
+++ b/SOURCES/channels-urbdrc-cancel-all-usb-transfers-on-channel-.patch
@@ -0,0 +1,24 @@
+From 414f701464929c217f2509bcbd6d2c1f00f7ed73 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 11:07:25 +0100
+Subject: [PATCH] [channels,urbdrc] cancel all usb transfers on channel close
+
+---
+ channels/urbdrc/client/libusb/libusb_udevice.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
+index 5341248ec..9e2d3ec5a 100644
+--- a/channels/urbdrc/client/libusb/libusb_udevice.c
++++ b/channels/urbdrc/client/libusb/libusb_udevice.c
+@@ -1165,6 +1165,7 @@ static void libusb_udev_mark_channel_closed(IUDEVICE* idev)
+ 		const uint8_t devNr = idev->get_dev_number(idev);
+ 
+ 		pdev->status |= URBDRC_DEVICE_CHANNEL_CLOSED;
++		pdev->iface.cancel_all_transfer_request(&pdev->iface);
+ 		urbdrc->udevman->unregister_udevice(urbdrc->udevman, busNr, devNr);
+ 	}
+ }
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-urbdrc-do-not-free-MsConfig-on-failure.patch b/SOURCES/channels-urbdrc-do-not-free-MsConfig-on-failure.patch
new file mode 100644
index 0000000..00771fe
--- /dev/null
+++ b/SOURCES/channels-urbdrc-do-not-free-MsConfig-on-failure.patch
@@ -0,0 +1,31 @@
+From aaad4718d80b0354fd807d680b12390075fe4fa0 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Wed, 11 Mar 2026 12:27:47 +0100
+Subject: [PATCH] [channels,urbdrc] do not free MsConfig on failure
+
+Backport of commit d676518809c319eec15911c705c13536036af2ae.
+
+Made-with: Cursor
+---
+ channels/urbdrc/client/data_transfer.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index ed6ccf32d..c547d52d7 100644
+--- a/channels/urbdrc/client/data_transfer.c
++++ b/channels/urbdrc/client/data_transfer.c
+@@ -570,10 +570,8 @@ static UINT urb_select_interface(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callba
+ 	MsConfig = pdev->get_MsConfig(pdev);
+ 	InterfaceNumber = MsInterface->InterfaceNumber;
+ 	if (!msusb_msinterface_replace(MsConfig, InterfaceNumber, MsInterface))
+-	{
+-		msusb_msconfig_free(MsConfig);
+ 		return ERROR_BAD_CONFIGURATION;
+-	}
++
+ 	/* complete configuration setup */
+ 	if (!pdev->complete_msconfig_setup(pdev, MsConfig))
+ 	{
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-urbdrc-ensure-InterfaceNumber-is-within-ran.patch b/SOURCES/channels-urbdrc-ensure-InterfaceNumber-is-within-ran.patch
new file mode 100644
index 0000000..1c214a0
--- /dev/null
+++ b/SOURCES/channels-urbdrc-ensure-InterfaceNumber-is-within-ran.patch
@@ -0,0 +1,45 @@
+From ea49391b3463b7df18eb9c358cdec04edf9c4001 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 12 Mar 2026 11:03:20 +0100
+Subject: [PATCH] [channels,urbdrc] ensure InterfaceNumber is within range
+
+Backport of commit 2d563a50be17c1b407ca448b1321378c0726dd31.
+
+Made-with: Cursor
+---
+ channels/urbdrc/client/libusb/libusb_udevice.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
+index b2d80243b..ae8bbb4c5 100644
+--- a/channels/urbdrc/client/libusb/libusb_udevice.c
++++ b/channels/urbdrc/client/libusb/libusb_udevice.c
+@@ -528,19 +528,19 @@ static int libusb_udev_select_interface(IUDEVICE* idev, BYTE InterfaceNumber, BY
+ {
+ 	int error = 0, diff = 0;
+ 	UDEVICE* pdev = (UDEVICE*)idev;
+-	URBDRC_PLUGIN* urbdrc;
+-	MSUSB_CONFIG_DESCRIPTOR* MsConfig;
+-	MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces;
+ 
+ 	if (!pdev || !pdev->urbdrc)
+ 		return -1;
+ 
+-	urbdrc = pdev->urbdrc;
+-	MsConfig = pdev->MsConfig;
++	URBDRC_PLUGIN* urbdrc = pdev->urbdrc;
++	MSUSB_CONFIG_DESCRIPTOR* MsConfig = pdev->MsConfig;
+ 
+ 	if (MsConfig)
+ 	{
+-		MsInterfaces = MsConfig->MsInterfaces;
++		if (InterfaceNumber >= MsConfig->NumInterfaces)
++			return -2;
++
++		MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces;
+ 		if (MsInterfaces)
+ 		{
+ 			WLog_Print(urbdrc->log, WLOG_INFO,
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-video-fix-wrong-cast.patch b/SOURCES/channels-video-fix-wrong-cast.patch
new file mode 100644
index 0000000..18bab1b
--- /dev/null
+++ b/SOURCES/channels-video-fix-wrong-cast.patch
@@ -0,0 +1,37 @@
+From 970ad2311e69589004d6a84961aa9d1e3b33c085 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 26 Mar 2026 15:57:34 +0100
+Subject: [PATCH] [channels,video] fix wrong cast
+
+Backport of commit e01cd85c8003a245ef9778f0eda4b9235514c201.
+
+Made-with: Cursor
+---
+ channels/video/client/video_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/channels/video/client/video_main.c b/channels/video/client/video_main.c
+index 641231b1d..0af78140e 100644
+--- a/channels/video/client/video_main.c
++++ b/channels/video/client/video_main.c
+@@ -959,7 +959,7 @@ static UINT video_control_on_close(IWTSVirtualChannelCallback* pChannelCallback)
+ {
+ 	if (pChannelCallback)
+ 	{
+-		VIDEO_LISTENER_CALLBACK* listener_callback = (VIDEO_LISTENER_CALLBACK*)pChannelCallback;
++		VIDEO_CHANNEL_CALLBACK* listener_callback = (VIDEO_CHANNEL_CALLBACK*)pChannelCallback;
+ 		VIDEO_PLUGIN* video = (VIDEO_PLUGIN*)listener_callback->plugin;
+ 		if (video && video->control_callback)
+ 		{
+@@ -974,7 +974,7 @@ static UINT video_data_on_close(IWTSVirtualChannelCallback* pChannelCallback)
+ {
+ 	if (pChannelCallback)
+ 	{
+-		VIDEO_LISTENER_CALLBACK* listener_callback = (VIDEO_LISTENER_CALLBACK*)pChannelCallback;
++		VIDEO_CHANNEL_CALLBACK* listener_callback = (VIDEO_CHANNEL_CALLBACK*)pChannelCallback;
+ 		VIDEO_PLUGIN* video = (VIDEO_PLUGIN*)listener_callback->plugin;
+ 		if (video && video->data_callback)
+ 		{
+-- 
+2.53.0
+
diff --git a/SOURCES/channels-video-unify-error-handling.patch b/SOURCES/channels-video-unify-error-handling.patch
new file mode 100644
index 0000000..7eaa992
--- /dev/null
+++ b/SOURCES/channels-video-unify-error-handling.patch
@@ -0,0 +1,121 @@
+From 2cfdc16faed93a8d5d1ec391788547409df986de Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 26 Mar 2026 15:57:28 +0100
+Subject: [PATCH] [channels,video] unify error handling
+
+Partial backport of commit 635ae3c8193256db01774fab5ff11bcae57aed6b.
+
+Made-with: Cursor
+---
+ channels/video/client/video_main.c | 45 ++++++++++++++++++++++--------
+ 1 file changed, 34 insertions(+), 11 deletions(-)
+
+diff --git a/channels/video/client/video_main.c b/channels/video/client/video_main.c
+index a8031fc86..641231b1d 100644
+--- a/channels/video/client/video_main.c
++++ b/channels/video/client/video_main.c
+@@ -25,7 +25,9 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#include <winpr/assert.h>
+ #include <winpr/crt.h>
++#include <winpr/error.h>
+ #include <winpr/synch.h>
+ #include <winpr/print.h>
+ #include <winpr/stream.h>
+@@ -351,14 +353,24 @@ static void VideoClientContextPriv_free(VideoClientContextPriv* priv)
+ 	free(priv);
+ }
+ 
++static UINT video_channel_write(VIDEO_PLUGIN* video, const BYTE* data, UINT32 length)
++{
++	WINPR_ASSERT(video);
++
++	if (!video->control_callback || !video->control_callback->channel_callback)
++		return ERROR_BAD_CONFIGURATION;
++	IWTSVirtualChannel* channel = video->control_callback->channel_callback->channel;
++	if (!channel || !channel->Write)
++		return ERROR_BAD_CONFIGURATION;
++	return channel->Write(channel, length, data, NULL);
++}
++
+ static UINT video_control_send_presentation_response(VideoClientContext* context,
+                                                      TSMM_PRESENTATION_RESPONSE* resp)
+ {
+ 	BYTE buf[12];
+ 	wStream* s;
+ 	VIDEO_PLUGIN* video = (VIDEO_PLUGIN*)context->handle;
+-	IWTSVirtualChannel* channel;
+-	UINT ret;
+ 
+ 	s = Stream_New(buf, 12);
+ 	if (!s)
+@@ -370,11 +382,9 @@ static UINT video_control_send_presentation_response(VideoClientContext* context
+ 	Stream_Zero(s, 3);
+ 	Stream_SealLength(s);
+ 
+-	channel = video->control_callback->channel_callback->channel;
+-	ret = channel->Write(channel, 12, buf, NULL);
+ 	Stream_Free(s, FALSE);
+ 
+-	return ret;
++	return video_channel_write(video, buf, sizeof(buf));
+ }
+ 
+ static BOOL video_onMappedGeometryUpdate(MAPPED_GEOMETRY* geometry)
+@@ -592,8 +602,6 @@ static UINT video_control_send_client_notification(VideoClientContext* context,
+ 	BYTE buf[100];
+ 	wStream* s;
+ 	VIDEO_PLUGIN* video = (VIDEO_PLUGIN*)context->handle;
+-	IWTSVirtualChannel* channel;
+-	UINT ret;
+ 	UINT32 cbSize;
+ 
+ 	s = Stream_New(buf, 30);
+@@ -627,10 +635,7 @@ static UINT video_control_send_client_notification(VideoClientContext* context,
+ 	Stream_Write_UINT32(s, cbSize);
+ 	Stream_Free(s, FALSE);
+ 
+-	channel = video->control_callback->channel_callback->channel;
+-	ret = channel->Write(channel, cbSize, buf, NULL);
+-
+-	return ret;
++	return video_channel_write(video, buf, cbSize);
+ }
+ 
+ static void video_timer(VideoClientContext* video, UINT64 now)
+@@ -952,12 +957,30 @@ static UINT video_data_on_data_received(IWTSVirtualChannelCallback* pChannelCall
+  */
+ static UINT video_control_on_close(IWTSVirtualChannelCallback* pChannelCallback)
+ {
++	if (pChannelCallback)
++	{
++		VIDEO_LISTENER_CALLBACK* listener_callback = (VIDEO_LISTENER_CALLBACK*)pChannelCallback;
++		VIDEO_PLUGIN* video = (VIDEO_PLUGIN*)listener_callback->plugin;
++		if (video && video->control_callback)
++		{
++			video->control_callback->channel_callback = NULL;
++		}
++	}
+ 	free(pChannelCallback);
+ 	return CHANNEL_RC_OK;
+ }
+ 
+ static UINT video_data_on_close(IWTSVirtualChannelCallback* pChannelCallback)
+ {
++	if (pChannelCallback)
++	{
++		VIDEO_LISTENER_CALLBACK* listener_callback = (VIDEO_LISTENER_CALLBACK*)pChannelCallback;
++		VIDEO_PLUGIN* video = (VIDEO_PLUGIN*)listener_callback->plugin;
++		if (video && video->data_callback)
++		{
++			video->data_callback->channel_callback = NULL;
++		}
++	}
+ 	free(pChannelCallback);
+ 	return CHANNEL_RC_OK;
+ }
+-- 
+2.53.0
+
diff --git a/SOURCES/codec-color-add-freerdp_glyph_convert_ex.patch b/SOURCES/codec-color-add-freerdp_glyph_convert_ex.patch
new file mode 100644
index 0000000..797f126
--- /dev/null
+++ b/SOURCES/codec-color-add-freerdp_glyph_convert_ex.patch
@@ -0,0 +1,114 @@
+From b54003ad2dcb69b3c7836ae1445c48af8b39cd4c Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Sat, 28 Mar 2026 12:13:04 +0100
+Subject: [PATCH] [codec,color] add freerdp_glyph_convert_ex
+
+Backport of commit 3bc1eeb4f63ceec9a696af194e4c1ea0e67ff60c.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/color.c  | 12 +++++++++--
+ libfreerdp/gdi/graphics.c | 45 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/codec/color.c b/libfreerdp/codec/color.c
+index f8467c295..4c72ee3e6 100644
+--- a/libfreerdp/codec/color.c
++++ b/libfreerdp/codec/color.c
+@@ -28,6 +28,7 @@
+ #include <stdlib.h>
+ 
+ #include <winpr/crt.h>
++#include <winpr/assert.h>
+ 
+ #include <freerdp/log.h>
+ #include <freerdp/freerdp.h>
+@@ -49,13 +50,20 @@ BYTE* freerdp_glyph_convert(UINT32 width, UINT32 height, const BYTE* data)
+ 	const BYTE* srcp;
+ 	BYTE* dstp;
+ 	BYTE* dstData;
+-	UINT32 scanline;
++	size_t scanline;
++
+ 	/*
+ 	 * converts a 1-bit-per-pixel glyph to a one-byte-per-pixel glyph:
+ 	 * this approach uses a little more memory, but provides faster
+ 	 * means of accessing individual pixels in blitting operations
+ 	 */
+-	scanline = (width + 7) / 8;
++	scanline = (width + 7ull) / 8ull;
++
++	if ((width == 0) || (height == 0))
++		return NULL;
++
++	WINPR_ASSERT(data);
++
+ 	dstData = (BYTE*)_aligned_malloc(1ull * width * height, 16);
+ 
+ 	if (!dstData)
+diff --git a/libfreerdp/gdi/graphics.c b/libfreerdp/gdi/graphics.c
+index 479eac9b8..dab159c43 100644
+--- a/libfreerdp/gdi/graphics.c
++++ b/libfreerdp/gdi/graphics.c
+@@ -23,6 +23,7 @@
+ #include "config.h"
+ #endif
+ 
++#include <winpr/assert.h>
+ #include <winpr/crt.h>
+ 
+ #include <freerdp/log.h>
+@@ -215,6 +216,50 @@ static BOOL gdi_Bitmap_SetSurface(rdpContext* context, rdpBitmap* bitmap, BOOL p
+ }
+ 
+ /* Glyph Class */
++static BYTE* freerdp_glyph_convert_ex(UINT32 width, UINT32 height, const BYTE* data, size_t len)
++{
++	/*
++	 * converts a 1-bit-per-pixel glyph to a one-byte-per-pixel glyph:
++	 * this approach uses a little more memory, but provides faster
++	 * means of accessing individual pixels in blitting operations
++	 */
++	const size_t scanline = (width + 7ull) / 8ull;
++	const size_t required = scanline * height;
++	if (len < required)
++		return NULL;
++
++	if ((len == 0) || (width == 0) || (height == 0))
++		return NULL;
++
++	WINPR_ASSERT(data);
++
++	BYTE* dstData = (BYTE*)_aligned_malloc(1ull * width * height, 16);
++
++	if (!dstData)
++		return NULL;
++
++	ZeroMemory(dstData, 1ULL * width * height);
++	BYTE* dstp = dstData;
++
++	for (UINT32 y = 0; y < height; y++)
++	{
++		const BYTE* srcp = &data[1ull * y * scanline];
++
++		for (UINT32 x = 0; x < width; x++)
++		{
++			if ((*srcp & (0x80 >> (x % 8))) != 0)
++				*dstp = 0xFF;
++
++			dstp++;
++
++			if (((x + 1) % 8 == 0) && x != 0)
++				srcp++;
++		}
++	}
++
++	return dstData;
++}
++
+ static BOOL gdi_Glyph_New(rdpContext* context, const rdpGlyph* glyph)
+ {
+ 	BYTE* data;
+-- 
+2.53.0
+
diff --git a/SOURCES/codec-nsc-fix-use-of-nsc_process_message.patch b/SOURCES/codec-nsc-fix-use-of-nsc_process_message.patch
new file mode 100644
index 0000000..7c5ea64
--- /dev/null
+++ b/SOURCES/codec-nsc-fix-use-of-nsc_process_message.patch
@@ -0,0 +1,90 @@
+From 21cb0e2b96e4e86b4ed8b7a76d819808b898e93e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 31 Mar 2026 07:08:04 +0200
+Subject: [PATCH] [codec,nsc] fix use of nsc_process_message
+
+Backport of commit 169971607cece48384cb94632b829bd57336af0f.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/clear.c | 10 ++++++----
+ libfreerdp/codec/nsc.c   |  9 ++++++++-
+ libfreerdp/gdi/gdi.c     |  4 ++--
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index 4dbe72376..6627b21d6 100644
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -103,7 +103,8 @@ static BOOL convert_color(BYTE* dst, UINT32 nDstStep, UINT32 DstFormat, UINT32 n
+ 
+ static BOOL clear_decompress_nscodec(NSC_CONTEXT* nsc, UINT32 width, UINT32 height, wStream* s,
+                                      UINT32 bitmapDataByteCount, BYTE* pDstData, UINT32 DstFormat,
+-                                     UINT32 nDstStep, UINT32 nXDstRel, UINT32 nYDstRel)
++                                     UINT32 nDstStep, UINT32 nXDstRel, UINT32 nYDstRel,
++                                     UINT32 nDstWidth, UINT32 nDstHeight)
+ {
+ 	BOOL rc;
+ 
+@@ -115,8 +116,8 @@ static BOOL clear_decompress_nscodec(NSC_CONTEXT* nsc, UINT32 width, UINT32 heig
+ 	}
+ 
+ 	rc = nsc_process_message(nsc, 32, width, height, Stream_Pointer(s), bitmapDataByteCount,
+-	                         pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel, width, height,
+-	                         FREERDP_FLIP_NONE);
++	                         pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel, nDstWidth,
++	                         nDstHeight, FREERDP_FLIP_NONE);
+ 	Stream_Seek(s, bitmapDataByteCount);
+ 	return rc;
+ }
+@@ -535,7 +536,8 @@ static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* clear, wStream* s,
+ 
+ 			case 1: /* NSCodec */
+ 				if (!clear_decompress_nscodec(clear->nsc, width, height, s, bitmapDataByteCount,
+-				                              pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel))
++				                              pDstData, DstFormat, nDstStep, nXDstRel, nYDstRel,
++				                              nDstWidth, nDstHeight))
+ 					return FALSE;
+ 
+ 				break;
+diff --git a/libfreerdp/codec/nsc.c b/libfreerdp/codec/nsc.c
+index a257ae24a..f50a1ae89 100644
+--- a/libfreerdp/codec/nsc.c
++++ b/libfreerdp/codec/nsc.c
+@@ -447,10 +447,17 @@ BOOL nsc_process_message(NSC_CONTEXT* context, UINT16 bpp, UINT32 width, UINT32
+                          UINT32 nDstStride, UINT32 nXDst, UINT32 nYDst, UINT32 nWidth,
+                          UINT32 nHeight, UINT32 flip)
+ {
++	WINPR_ASSERT(context);
++	WINPR_ASSERT(context->priv);
++
+ 	wStream* s;
+ 	BOOL ret;
+-	if (!context || !data || !pDstData)
++	if (!data || !pDstData)
++	{
++		WLog_Print(context->priv->log, WLOG_ERROR, "Invalid argument: data=%p, pDstData=%p",
++		           (const void*)data, (void*)pDstData);
+ 		return FALSE;
++	}
+ 
+ 	s = Stream_New((BYTE*)data, length);
+ 
+diff --git a/libfreerdp/gdi/gdi.c b/libfreerdp/gdi/gdi.c
+index 37a010431..8c5e4bf34 100644
+--- a/libfreerdp/gdi/gdi.c
++++ b/libfreerdp/gdi/gdi.c
+@@ -1074,8 +1074,8 @@ static BOOL gdi_surface_bits(rdpContext* context, const SURFACE_BITS_COMMAND* cm
+ 			if (!nsc_process_message(
+ 			        context->codecs->nsc, cmd->bmp.bpp, cmd->bmp.width, cmd->bmp.height,
+ 			        cmd->bmp.bitmapData, cmd->bmp.bitmapDataLength, gdi->primary_buffer, format,
+-			        gdi->stride, cmdRect.left, cmdRect.top, cmdRect.right - cmdRect.left,
+-			        cmdRect.bottom - cmdRect.top, FREERDP_FLIP_VERTICAL))
++			        gdi->stride, cmdRect.left, cmdRect.top, (UINT32)gdi->width, (UINT32)gdi->height,
++			        FREERDP_FLIP_VERTICAL))
+ 			{
+ 				WLog_ERR(TAG, "Failed to process NSCodec message");
+ 				goto out;
+-- 
+2.53.0
+
diff --git a/SOURCES/codec-nsc-limit-copy-area-in-nsc_process_message.patch b/SOURCES/codec-nsc-limit-copy-area-in-nsc_process_message.patch
new file mode 100644
index 0000000..2047df5
--- /dev/null
+++ b/SOURCES/codec-nsc-limit-copy-area-in-nsc_process_message.patch
@@ -0,0 +1,44 @@
+From 9a9e00529b1b04718370a1d8e2d8b6768c9ee913 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 16 Mar 2026 14:59:12 +0100
+Subject: [PATCH] [codec,nsc] limit copy area in nsc_process_message
+
+Backport of commit 83d9aedea278a74af3e490ff5eeb889c016dbb2b.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/nsc.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/nsc.c b/libfreerdp/codec/nsc.c
+index 5dd2646ea..a257ae24a 100644
+--- a/libfreerdp/codec/nsc.c
++++ b/libfreerdp/codec/nsc.c
+@@ -24,6 +24,7 @@
+ #include "config.h"
+ #endif
+ 
++#include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -515,7 +516,15 @@ BOOL nsc_process_message(NSC_CONTEXT* context, UINT16 bpp, UINT32 width, UINT32
+ 			return FALSE;
+ 	}
+ 
+-	if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, width, height,
++	uint32_t cwidth = width;
++	if (1ull * nXDst + width > nWidth)
++		cwidth = nWidth - nXDst;
++
++	uint32_t cheight = height;
++	if (1ull * nYDst + height > nHeight)
++		cheight = nHeight - nYDst;
++
++	if (!freerdp_image_copy(pDstData, DstFormat, nDstStride, nXDst, nYDst, cwidth, cheight,
+ 	                        context->BitmapData, PIXEL_FORMAT_BGRA32, 0, 0, 0, NULL, flip))
+ 		return FALSE;
+ 
+-- 
+2.53.0
+
diff --git a/SOURCES/core-info-fix-missing-NULL-check.patch b/SOURCES/core-info-fix-missing-NULL-check.patch
new file mode 100644
index 0000000..44daafe
--- /dev/null
+++ b/SOURCES/core-info-fix-missing-NULL-check.patch
@@ -0,0 +1,71 @@
+From 6a329a9a1352c9461a3a85e55d84230106b19500 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Tue, 10 Mar 2026 14:53:29 +0100
+Subject: [PATCH] [core,info] fix missing NULL check
+
+Backport of commit 4d44e3c097656a8b9ec696353647b0888ca45860.
+
+Made-with: Cursor
+---
+ libfreerdp/core/info.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c
+index 9aaa6cff6..56676f0fb 100644
+--- a/libfreerdp/core/info.c
++++ b/libfreerdp/core/info.c
+@@ -24,6 +24,7 @@
+ #endif
+ 
+ #include <winpr/crt.h>
++#include <winpr/assert.h>
+ #include <freerdp/crypto/crypto.h>
+ #include <freerdp/log.h>
+ #include <freerdp/session.h>
+@@ -1363,10 +1364,11 @@ static BOOL rdp_write_logon_info_v1(wStream* s, logon_info* info)
+ 	return TRUE;
+ }
+ 
+-static BOOL rdp_write_logon_info_v2(wStream* s, logon_info* info)
++static BOOL rdp_write_logon_info_v2(wStream* s, const logon_info* info)
+ {
+ 	UINT32 Size = 2 + 4 + 4 + 4 + 4 + 558;
+-	size_t domainLen, usernameLen;
++	size_t domainLen = 0;
++	size_t usernameLen = 0;
+ 	int len;
+ 	WCHAR* wString = NULL;
+ 
+@@ -1376,11 +1378,13 @@ static BOOL rdp_write_logon_info_v2(wStream* s, logon_info* info)
+ 	Stream_Write_UINT16(s, SAVE_SESSION_PDU_VERSION_ONE);
+ 	Stream_Write_UINT32(s, Size);
+ 	Stream_Write_UINT32(s, info->sessionId);
+-	domainLen = strlen(info->domain);
++	if (info->domain)
++		domainLen = strlen(info->domain);
+ 	if (domainLen > UINT32_MAX)
+ 		return FALSE;
+ 	Stream_Write_UINT32(s, (UINT32)(domainLen + 1) * 2);
+-	usernameLen = strlen(info->username);
++	if (info->username)
++		usernameLen = strlen(info->username);
+ 	if (usernameLen > UINT32_MAX)
+ 		return FALSE;
+ 	Stream_Write_UINT32(s, (UINT32)(usernameLen + 1) * 2);
+@@ -1457,10 +1461,11 @@ static BOOL rdp_write_logon_info_ex(wStream* s, logon_info_ex* info)
+ 
+ BOOL rdp_send_save_session_info(rdpContext* context, UINT32 type, void* data)
+ {
+-	wStream* s;
+ 	BOOL status;
++
++	WINPR_ASSERT(context);
+ 	rdpRdp* rdp = context->rdp;
+-	s = rdp_data_pdu_init(rdp);
++	wStream* s = rdp_data_pdu_init(rdp);
+ 
+ 	if (!s)
+ 		return FALSE;
+-- 
+2.53.0
+
diff --git a/SOURCES/gdi-graphics-Use-freerdp_glyph_convert_ex.patch b/SOURCES/gdi-graphics-Use-freerdp_glyph_convert_ex.patch
new file mode 100644
index 0000000..0e9b54e
--- /dev/null
+++ b/SOURCES/gdi-graphics-Use-freerdp_glyph_convert_ex.patch
@@ -0,0 +1,36 @@
+From d25ffd608bf2bd38022a3930d0b3fc1b7c873c1a Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Sat, 28 Mar 2026 12:13:06 +0100
+Subject: [PATCH] [gdi,graphics] Use freerdp_glyph_convert_ex
+
+Backport of commit 9f0eb3b7d43069a1e973464bcb43d1ef965ae65e.
+
+Made-with: Cursor
+---
+ libfreerdp/gdi/graphics.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libfreerdp/gdi/graphics.c b/libfreerdp/gdi/graphics.c
+index dab159c43..b1129fb7c 100644
+--- a/libfreerdp/gdi/graphics.c
++++ b/libfreerdp/gdi/graphics.c
+@@ -262,7 +262,6 @@ static BYTE* freerdp_glyph_convert_ex(UINT32 width, UINT32 height, const BYTE* d
+ 
+ static BOOL gdi_Glyph_New(rdpContext* context, const rdpGlyph* glyph)
+ {
+-	BYTE* data;
+ 	gdiGlyph* gdi_glyph;
+ 
+ 	if (!context || !glyph)
+@@ -275,7 +274,7 @@ static BOOL gdi_Glyph_New(rdpContext* context, const rdpGlyph* glyph)
+ 		return FALSE;
+ 
+ 	gdi_glyph->hdc->format = PIXEL_FORMAT_MONO;
+-	data = freerdp_glyph_convert(glyph->cx, glyph->cy, glyph->aj);
++	BYTE* data = freerdp_glyph_convert_ex(glyph->cx, glyph->cy, glyph->aj, glyph->cb);
+ 
+ 	if (!data)
+ 	{
+-- 
+2.53.0
+
diff --git a/SPECS/freerdp.spec b/SPECS/freerdp.spec
index 7498469..6994003 100644
--- a/SPECS/freerdp.spec
+++ b/SPECS/freerdp.spec
@@ -27,7 +27,7 @@
 
 Name:           freerdp
 Version:        2.11.7
-Release:        1%{?dist}.3
+Release:        1%{?dist}.5
 Epoch:          2
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 License:        ASL 2.0
@@ -76,6 +76,70 @@ Patch:          codec-clear-fix-destination-checks.patch
 # https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc
 Patch:          codec-planar-fix-missing-destination-bounds-checks.patch
 
+# CVE-2026-22852
+# https://github.com/FreeRDP/FreeRDP/commit/cd1ffa112cfbe1b40a9fd57e299a8ea12e23df0d
+Patch:          channels-audin-free-up-old-audio-formats.patch
+
+# CVE-2026-22854
+# https://github.com/FreeRDP/FreeRDP/commit/3da319570c8a6be0a79b3306f1ed354c4a943259
+Patch:          channels-drive-fix-constant-type.patch
+
+# CVE-2026-22856
+# https://github.com/FreeRDP/FreeRDP/commit/b35aa3614d32bff3fc1272cd7c4617f711fca1a4
+# https://github.com/FreeRDP/FreeRDP/commit/675c20f08f32ca5ec06297108bdf30147d6e2cd9
+Patch:          channels-serial-lock-list-dictionary.patch
+Patch:          channels-serial-explicitly-lock-serial-IrpThreads.patch
+
+# CVE-2026-23732
+# https://github.com/FreeRDP/FreeRDP/commit/3bc1eeb4f63ceec9a696af194e4c1ea0e67ff60c
+# https://github.com/FreeRDP/FreeRDP/commit/9f0eb3b7d43069a1e973464bcb43d1ef965ae65e
+Patch:          codec-color-add-freerdp_glyph_convert_ex.patch
+Patch:          gdi-graphics-Use-freerdp_glyph_convert_ex.patch
+
+# CVE-2026-23948
+# https://github.com/FreeRDP/FreeRDP/commit/4d44e3c097656a8b9ec696353647b0888ca45860
+Patch:          core-info-fix-missing-NULL-check.patch
+
+# CVE-2026-24491
+# https://github.com/FreeRDP/FreeRDP/commit/e02e052f6692550e539d10f99de9c35a23492db2
+# https://github.com/FreeRDP/FreeRDP/commit/635ae3c8193256db01774fab5ff11bcae57aed6b
+# https://github.com/FreeRDP/FreeRDP/commit/e01cd85c8003a245ef9778f0eda4b9235514c201
+Patch:          channels-drdynvc-reset-channel_callback-before-close.patch
+Patch:          channels-video-unify-error-handling.patch
+Patch:          channels-video-fix-wrong-cast.patch
+
+# CVE-2026-24675
+# https://github.com/FreeRDP/FreeRDP/commit/d676518809c319eec15911c705c13536036af2ae
+Patch:          channels-urbdrc-do-not-free-MsConfig-on-failure.patch
+
+# CVE-2026-24676
+# https://github.com/FreeRDP/FreeRDP/commit/026b81ae5831ac1598d8f7371e0d0996fac7db00
+Patch:          channels-audin-reset-audin-format.patch
+
+# CVE-2026-24679
+# https://github.com/FreeRDP/FreeRDP/commit/2d563a50be17c1b407ca448b1321378c0726dd31
+Patch:          channels-urbdrc-ensure-InterfaceNumber-is-within-ran.patch
+
+# CVE-2026-24681
+# https://github.com/FreeRDP/FreeRDP/commit/414f701464929c217f2509bcbd6d2c1f00f7ed73
+Patch:          channels-urbdrc-cancel-all-usb-transfers-on-channel-.patch
+
+# CVE-2026-24683
+# https://github.com/FreeRDP/FreeRDP/commit/d9ca272dce7a776ab475e9b1a8e8c3d2968c8486
+Patch:          channels-ainput-lock-context-when-updating-listener.patch
+
+# CVE-2026-24684
+# https://github.com/FreeRDP/FreeRDP/commit/622bb7b4402491ca003f47472d0e478132673696
+# https://github.com/FreeRDP/FreeRDP/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5
+Patch:          channels-rdpsnd-terminate-thread-before-free.patch
+Patch:          channel-rdpsnd-only-clean-up-thread-before-free.patch
+
+# CVE-2026-31806
+# https://github.com/FreeRDP/FreeRDP/commit/83d9aedea278a74af3e490ff5eeb889c016dbb2b
+# https://github.com/FreeRDP/FreeRDP/commit/169971607cece48384cb94632b829bd57336af0f
+Patch:          codec-nsc-limit-copy-area-in-nsc_process_message.patch
+Patch:          codec-nsc-fix-use-of-nsc_process_message.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@@ -333,6 +397,16 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc
 
 %changelog
+* Tue Mar 31 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-1.5
+- Fix use of nsc_process_message
+  Resolves: RHEL-155993
+
+* Fri Mar 27 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-1.4
+- Backport several CVE fixes
+  Resolves: RHEL-148046, RHEL-148049, RHEL-148054, RHEL-148061, RHEL-148079
+  Resolves: RHEL-148094, RHEL-148096, RHEL-148104, RHEL-148939, RHEL-149029
+  Resolves: RHEL-149042, RHEL-149065, RHEL-155993
+
 * Wed Mar 25 2026 Ondrej Holy <oholy@redhat.com> - 2:2.11.7-1.3
 - Backport several CVE fixes
   Resolves: RHEL-151988, RHEL-152215