Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
Ссылки
- Patch
- ExploitPatchVendor Advisory
- ExploitPatchVendor Advisory
Уязвимые конфигурации
EPSS
5.3 Medium
CVSS3
8.2 High
CVSS3
Дефекты
Связанные уязвимости
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
A heap based buffer overflow flaw has been discovered in FreeRDP. This client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. A malicious server can trigger a client-side heap out-of-bounds access (READ of 4 bytes, followed by potential WRITE of a pointer) on the bitmap cache cells array, causing a crash (DoS) and heap corruption. The off-by-one accesses cells[maxCells] which reads from and writes to adjacent heap memory, potentially enabling pointer overwrite for code execution depending on heap layout.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...
EPSS
5.3 Medium
CVSS3
8.2 High
CVSS3