CVE-2026-40254
4.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in channels/drive/client/drive_file.c. The contains_dotdot() function catches ../ and ..\ mid-path but misses .. when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FreeRDP | FreeRDP | < 3.25.0 | affected |
Weaknesses
- CWE-193: CWE-193: Off-by-one Error
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.