CVE-2026-40254

EUVD-2026-25381

24.04.2026, 03:16

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
freerdp	freerdp	𝑥 < 3.25.0	CNA

Ubuntu Releases

Ubuntu Product

Codename

freerdp

bionic	needs-triage
jammy	dne
noble	dne
questing	dne
resolute	dne
xenial	needs-triage

freerdp2

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	dne
resolute	dne

freerdp3

jammy	dne
noble	needs-triage
questing	needs-triage
resolute	needs-triage

Common Weakness Enumeration

CWE-193 - Off-by-one Error
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx