CVE-2026-40254

Name
CVE-2026-40254
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* freerdp >= None < 3.25.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
freerdp edge-community 3.24.2-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.24.1-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.24.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.23.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.22.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.21.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.20.2-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp edge-community 3.20.0-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.20.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.18.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r3 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.16.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.15.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.14.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.10.3-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.10.3-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 3.10.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.11.7-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.11.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.9.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.4.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp edge-community 2.2.0-r0 None possibly vulnerable
freerdp edge-community 2.1.2-r0 None possibly vulnerable
freerdp edge-community 2.0.0_rc4-r0 None possibly vulnerable
freerdp edge-community 2.0.0-r1 None possibly vulnerable
freerdp edge-community 2.0.0-r0 None possibly vulnerable
freerdp 3.23-community 3.24.2-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.24.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.23.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.22.0-r0 Lindsay Zhou <i@lin.moe> possibly vulnerable
freerdp 3.23-community 3.18.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable