Improper validation of certificate with host mismatch in FreeRDP - #VU137824
Published: July 16, 2026
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass tls server hostname validation.
The vulnerability exists due to improper certificate hostname validation in tls_match_hostname() when verifying wildcard tls certificates for multi-label hostnames. A remote attacker can present a crafted wildcard certificate to bypass tls server hostname validation.
This issue affects cases where a certificate for a single-label wildcard domain is incorrectly accepted for a hostname with multiple labels.