FreeRDP Vulnerability: Out-of-Bounds Read in Legacy Clients
CVE-2024-32460

8.1HIGH

Key Information:

Vendor: Freerdp
Status: Freerdp
Vendor: CVE Published:; 22 April 2024

What is CVE-2024-32460?

FreeRDP is an open-source implementation of the Remote Desktop Protocol that is vulnerable to an out-of-bounds read condition in clients that utilize the legacy GDI drawing path with the /bpp:32 option. This vulnerability affects FreeRDP versions earlier than 3.5.0 and 2.11.6. Users are encouraged to upgrade to these patched versions to mitigate the risk. Alternatively, employing modern drawing paths such as /rfx or /gfx can serve as a workaround, although this requires corresponding support from the server side.

Affected Version(s)

FreeRDP >= 3.0.0, 3.5.0 >= 3.0.0, 3.5.0

FreeRDP < 2.11.6 < 2.11.6

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/FreeRDP/FreeRDP/pull/10077

x_refsource_MISC

https://github.com/FreeRDP/FreeRDP/releases/tag/2.11.6

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2024
Vulnerability Reserved
Apr 12, 2024

Freerdp

What is CVE-2024-32460?

Affected Version(s)

References

CVSS V3.1

Timeline