FreeRDP vulnerable to out-of-bounds read
CVE-2024-32659

9.8CRITICAL

Key Information:

Vendor: Freerdp
Status: Freerdp
Vendor: CVE Published:; 23 April 2024

What is CVE-2024-32659?

FreeRDP, which serves as a free implementation of the Remote Desktop Protocol, is susceptible to an out-of-bounds read issue in its clients prior to version 3.5.1. This vulnerability arises when both nWidth and nHeight equal zero, leading to potential unintended memory access and exposure of sensitive information. Following the identification of this flaw, version 3.5.1 has been released to address and mitigate the risks associated with it. Currently, there are no known workarounds for users of compromised versions, making immediate upgrade to the patched version critical.

Affected Version(s)

FreeRDP < 3.5.1

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/FreeRDP/FreeRDP/commit/6430945ce003a5e...

x_refsource_MISC

https://oss-fuzz.com/testcase-detail/6156779722440704

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 23, 2024
Vulnerability Reserved
Apr 16, 2024

Freerdp

What is CVE-2024-32659?

Affected Version(s)

References

CVSS V3.1

Timeline