SB2026042334 - Off-by-one in FreeRDP



SB2026042334 - Off-by-one in FreeRDP

Published: April 23, 2026

Security Bulletin ID SB2026042334
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Off-by-one (CVE-ID: CVE-2026-40254)

CWE-ID: CWE-193 - Off-by-one Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information and modify files outside the intended shared drive root.

The vulnerability exists due to an off-by-one error in contains_dotdot() in channels/drive/client/drive_file.c when processing RDPDR drive redirection I/O requests containing a terminal .. path component. A remote attacker can send specially crafted RDPDR requests to disclose sensitive information and modify files outside the intended shared drive root.

User interaction is required, and exploitation requires the victim to connect to a rogue RDP server with drive redirection enabled.


Remediation

Install update from vendor's website.