CVE-2026-40254

MEDIUM

FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal ..

Title source: cna

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.

References (1)

[X_Refsource_Confirm] https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx

Scores

CVSS v3 4.2

EPSS 0.0003

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-193

Status published

Products (2)

freerdp/freerdp < 3.25.0

FreeRDP/FreeRDP < 3.25.0

Published Apr 24, 2026

Tracked Since Apr 24, 2026