Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.
Published: 2026-04-24
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Client Files
Action: Apply Patch
AI Analysis

Impact

The FreeRDP implementation contains an off‑by‑one error in its path‑traversal filter. The function that blocks directory traversal sequences does not detect a trailing '..' when it appears as the last component of a path. An attacker who controls the remote RDP server can send specially crafted drive‑redirection requests to read, list, or write files located one directory above the client’s shared folder. This flaw is a CWE‑193: Off‑by‑One Error. The vulnerability does not enable arbitrary code execution but grants elevated file‑system access to the client during an RDP session.

Affected Systems

All FreeRDP releases prior to version 3.25.0 are affected. The issue exists in the drive channel client code located in channels/drive/client/drive_file.c. Users running FreeRDP 3.24.x or earlier with drive redirection enabled should update to 3.25.0, the patched version.

Risk and Exploitability

The CVSS score of 4.2 indicates a medium impact. The EPSS score is reported as <1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to initiate an RDP connection with drive redirection enabled, and a malicious server can then exploit the path‑traversal flaw to access the client’s files one level above the shared directory. The attack vector is remote, dependent on a trusted RDP session, and does not provide direct remote code execution.

Generated by OpenCVE AI on April 28, 2026 at 07:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeRDP version 3.25.0 or later to apply the off‑by‑one path traversal fix
  • Disable drive redirection on client machines or ensure that no shared folders are exposed when connecting to remote servers
  • Monitor RDP sessions for anomalous drive‑redirection requests and implement logging or intrusion detection to detect potential exploitation

Generated by OpenCVE AI on April 28, 2026 at 07:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Vendors & Products Freerdp
Freerdp freerdp

Sun, 26 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.
Title FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal ..
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T12:06:22.722Z

Reserved: 2026-04-10T17:31:45.786Z

Link: CVE-2026-40254

cve-icon Vulnrichment

Updated: 2026-04-24T12:06:05.911Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:11.373

Modified: 2026-04-27T17:44:02.727

Link: CVE-2026-40254

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T02:24:50Z

Links: CVE-2026-40254 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses