CVE-2025-68118
Unknown Unknown - Not Provided
Heap-Based Out-of-Bounds Read in FreeRDP Certificate Handling

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68118
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FreeRDP versions prior to 3.20.0 on Windows platforms. It involves the certificate handling code where the function freerdp_certificate_data_hash_ uses the Microsoft-specific _snprintf function to format certificate cache filenames. Because _snprintf does not guarantee NUL termination if the output is truncated, the filename buffer may not be properly terminated. If an attacker controls the hostname (e.g., via server redirection or a crafted .rdp file), this can cause subsequent string operations to read beyond the allocated memory, resulting in a heap-based out-of-bounds read. This can lead to unintended memory reads or client crashes.

Impact Analysis

The vulnerability can cause the FreeRDP client to read memory beyond the allocated buffer, potentially exposing unintended memory contents or causing the client to crash. Although in default configurations the connection is typically terminated before sensitive data can be meaningfully exposed, under certain conditions an attacker might exploit this to cause denial of service or access to sensitive information in memory.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade FreeRDP to version 3.20.0 or later, which includes a patch for the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68118. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart