|
Vulnerabilities
< Back

CVE-2025-68118

Updated on 17 Dec 2025

Severity

9.1 Critical severity

Details

CVSS score
9.1
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function freerdp_certificate_data_hash_ uses the Microsoft-specific _snprintf function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, _snprintf does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.

Details

Affected product:
Amazon Linux 2 ELS , CentOS 7 ELS , Oracle Linux 7 ELS
Affected packages:
freerdp @ 2.1.1 (+2 more)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function freerdp_certificate_data_hash_ uses the Microsoft-specific _snprintf function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, _snprintf does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.

Fixes