Описание
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function freerdp_certificate_data_hash_ uses the Microsoft-specific _snprintf function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, _snprintf does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still...
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/bionic | not-affected | Windows only |
| esm-infra/xenial | not-affected | Windows only |
| jammy | DNE | |
| noble | DNE | |
| plucky | DNE | |
| questing | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/noble | not-affected | Windows only |
| esm-infra/bionic | not-affected | Windows only |
| esm-infra/focal | not-affected | Windows only |
| jammy | not-affected | Windows only |
| noble | not-affected | Windows only |
| plucky | not-affected | Windows only |
| questing | DNE | |
| upstream | needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | Windows only |
| jammy | DNE | |
| noble | not-affected | Windows only |
| plucky | not-affected | Windows only |
| questing | not-affected | Windows only |
| upstream | not-affected | debian: Only affects FreeRDP's certificate handling code on Windows platforms |
Показывать по
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still oc
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...
EPSS
9.1 Critical
CVSS3