akallabeth

57 exploits Active since May 2020
CVE-2020-11099 WRITEUP LOW WRITEUP
FreeRDP < 2.1.2 - Out-of-bounds Read in License Packet Handling
In FreeRDP before version 2.1.2, there is an out of bounds read in license_read_new_or_upgrade_license_packet. A manipulated license packet can lead to out of bound reads to an internal buffer. This is fixed in version 2.1.2.
CVSS 3.5
CVE-2020-13396 WRITEUP HIGH WRITEUP
FreeRDP < 2.1.1 - Out-of-bounds Read in NTLM Challenge Message
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c.
CVSS 7.1
CVE-2020-13397 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.1.1 - Out-of-bounds Read in security_fips_decrypt
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value.
CVSS 5.5
CVE-2020-4030 WRITEUP LOW WRITEUP
FreeRDP < 2.1.2 - Integer Overflow in TrioParse
In FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2.
CVSS 3.5
CVE-2020-4031 WRITEUP LOW WRITEUP
FreeRDP < 2.1.2 - Use-After-Free in gdi_SelectObject
In FreeRDP before version 2.1.2, there is a use-after-free in gdi_SelectObject. All FreeRDP clients using compatibility mode with /relax-order-checks are affected. This is fixed in version 2.1.2.
CVSS 3.5
CVE-2020-4032 WRITEUP LOW WRITEUP
FreeRDP < 2.1.2 - Integer Casting Vulnerability in update_recv_secondary_order
In FreeRDP before version 2.1.2, there is an integer casting vulnerability in update_recv_secondary_order. All clients with +glyph-cache /relax-order-checks are affected. This is fixed in version 2.1.2.
CVSS 3.1
CVE-2020-4033 WRITEUP LOW WRITEUP
FreeRDP < 2.1.2 - Out-of-bounds Read in RLEDECOMPRESS
In FreeRDP before version 2.1.2, there is an out of bounds read in RLEDECOMPRESS. All FreeRDP based clients with sessions with color depth < 32 are affected. This is fixed in version 2.1.2.
CVSS 3.1
CVE-2022-24883 WRITEUP HIGH WRITEUP
FreeRDP < 2.7.0 - Improper Authentication via Invalid SAM File Path
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.
CVSS 7.4
CVE-2022-39316 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.9.0 - Out-of-bounds Read in ZGFX Decoder
FreeRDP is a free remote desktop protocol library and clients. In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. This issue has been addressed in the 2.9.0 release. Users are advised to upgrade.
CVSS 4.8
CVE-2022-39318 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.9.0 - Denial of Service via urbdrc Channel Input Validation
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
CVSS 4.8
CVE-2022-39319 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.9.0 - Out-of-bounds Read via urdbrc Channel
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
CVSS 4.6
CVE-2022-39347 WRITEUP LOW WRITEUP
FreeRDP < 2.9.0 - Path Traversal via Drive Channel
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.
CVSS 2.6
CVE-2022-41877 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.9.0 - Out-of-Bounds Read via Drive Channel
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options `/drive`, `+drives` or `+home-drive`.
CVSS 4.6
CVE-2023-39354 WRITEUP MEDIUM WRITEUP
FreeRDP < 2.11.0 - Out-of-Bounds Read in nsc_rle_decompress_data
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs because it processes `context->Planes` without checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 5.9
CVE-2024-32658 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.5.1 - Out-of-bounds Read
FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. Version 3.5.1 contains a patch for the issue. No known workarounds are available.
CVSS 9.8
CVE-2024-32659 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.5.1 - Out-of-bounds Read
FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch for the issue. No known workarounds are available.
CVSS 9.8
CVE-2024-32660 WRITEUP HIGH WRITEUP
FreeRDP < 3.5.1 - Denial of Service via Invalid Huge Allocation Size
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available.
CVSS 7.5
CVE-2024-32661 WRITEUP HIGH WRITEUP
FreeRDP < 3.5.1 - Denial of Service via NULL Pointer Dereference
FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to a possible `NULL` access and crash. Version 3.5.1 contains a patch for the issue. No known workarounds are available.
CVSS 7.5
CVE-2024-32662 WRITEUP HIGH WRITEUP
FreeRDP < 3.5.1 - Out-of-bounds Read via WCHAR String Handling
FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. This occurs when `WCHAR` string is read with twice the size it has and converted to `UTF-8`, `base64` decoded. The string is only used to compare against the redirection server certificate. Version 3.5.1 contains a patch for the issue. No known workarounds are available.
CVSS 7.5
CVE-2025-68118 WRITEUP CRITICAL WRITEUP
FreeRDP < 3.20.0 - Out-of-bounds Read via Certificate Cache Filename Handling
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.
CVSS 9.1
CVE-2026-23948 WRITEUP HIGH WRITEUP
FreeRDP < 3.22.0 - Denial of Service via Malformed LogonInfoV2 PDU
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
CVSS 7.5
CVE-2026-24491 WRITEUP HIGH WRITEUP
FreeRDP < 3.22.0 - Use-After-Free via Video Timer Notification
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
CVSS 7.5
CVE-2026-24675 WRITEUP HIGH WRITEUP
FreeRDP < 3.22.0 - Use-After-Free in urb_select_interface
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
CVSS 7.5
CVE-2026-24676 WRITEUP HIGH WRITEUP
FreeRDP < 3.22.0 - Use-After-Free in AUDIN Format Renegotiation
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
CVSS 7.5
CVE-2026-24677 WRITEUP CRITICAL WRITEUP
FreeRDP <3.22.0 - Memory Corruption
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, ecam_encoder_compress_h264 trusts server-controlled dimensions and does not validate the source buffer size, leading to an out-of-bounds read in sws_scale. This vulnerability is fixed in 3.22.0.
CVSS 9.1