Main Vulnerability Database Vulnerabilities #VU126890

Off-by-one in FreeRDP - CVE-2026-40254

Published: April 23, 2026

Vulnerability identifier: #VU126890

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40254

CWE-ID: CWE-193

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FreeRDP

Affected software:
FreeRDP

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify files outside the intended shared drive root.

The vulnerability exists due to an off-by-one error in contains_dotdot() in channels/drive/client/drive_file.c when processing RDPDR drive redirection I/O requests containing a terminal .. path component. A remote attacker can send specially crafted RDPDR requests to disclose sensitive information and modify files outside the intended shared drive root.

User interaction is required, and exploitation requires the victim to connect to a rogue RDP server with drive redirection enabled.

How to mitigate CVE-2026-40254

Install security update from vendor's website.

Sources

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx

Off-by-one in FreeRDP - CVE-2026-40254

Detailed vulnerability description

How to mitigate CVE-2026-40254

Sources

Please verify you're human