Out-of-bounds read in FreeRDP - #VU137829

 

Out-of-bounds read in FreeRDP - #VU137829

Published: July 16, 2026


Vulnerability identifier: #VU137829
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: FreeRDP
Affected software:
FreeRDP

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an over-read caused by improper stream length handling in the gateway WebSocket transport when processing server-sent ping control frames. A remote attacker can send a specially crafted ping frame to disclose sensitive information.

The client sends a Pong whose payload may include bytes beyond the received Ping payload, and the peer can recover the masked payload because it receives the WebSocket masking key.


Remediation

Install security update from vendor's website.

Sources