CVE-2025-68118
Heap-Based Out-of-Bounds Read in FreeRDP Certificate Handling
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in FreeRDP versions prior to 3.20.0 on Windows platforms. It involves the certificate handling code where the function freerdp_certificate_data_hash_ uses the Microsoft-specific _snprintf function to format certificate cache filenames. Because _snprintf does not guarantee NUL termination if the output is truncated, the filename buffer may not be properly terminated. If an attacker controls the hostname (e.g., via server redirection or a crafted .rdp file), this can cause subsequent string operations to read beyond the allocated memory, resulting in a heap-based out-of-bounds read. This can lead to unintended memory reads or client crashes.
How can this vulnerability impact me? :
The vulnerability can cause the FreeRDP client to read memory beyond the allocated buffer, potentially exposing unintended memory contents or causing the client to crash. Although in default configurations the connection is typically terminated before sensitive data can be meaningfully exposed, under certain conditions an attacker might exploit this to cause denial of service or access to sensitive information in memory.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade FreeRDP to version 3.20.0 or later, which includes a patch for the issue.