Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, xf_rail_server_local_move_size dereferences a freed xfAppWindow pointer because xf_rail_get_window returns an unprotected pointer from the railWindows hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). A remote attacker could exploit a use-after-free vulnerability in the xf_rail_server_local_move_size function. This occurs because the xf_rail_get_window function returns an unprotected pointer, allowing a main thread to concurrently delete a window while another thread is still using its pointer. Successful exploitation of this flaw could lead to a denial of service.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | freerdp | Fix deferred | ||
| Red Hat Enterprise Linux 6 | freerdp | Fix deferred | ||
| Red Hat Enterprise Linux 7 | freerdp | Fix deferred | ||
| Red Hat Enterprise Linux 8 | freerdp | Fix deferred | ||
| Red Hat Enterprise Linux 9 | freerdp | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...
5.3 Medium
CVSS3