SB2026042334 - Off-by-one in FreeRDP
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Off-by-one (CVE-ID: CVE-2026-40254)
CWE-ID: CWE-193 - Off-by-one Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information and modify files outside the intended shared drive root.
The vulnerability exists due to an off-by-one error in contains_dotdot() in channels/drive/client/drive_file.c when processing RDPDR drive redirection I/O requests containing a terminal .. path component. A remote attacker can send specially crafted RDPDR requests to disclose sensitive information and modify files outside the intended shared drive root.
User interaction is required, and exploitation requires the victim to connect to a rogue RDP server with drive redirection enabled.
Remediation
Install update from vendor's website.