CVE-2026-40254
Last modified
CVE-2026-40254 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Freerdp | Freerdp | < 3.25.0 |
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmxExploit, Mitigation, Vendor Advisory
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmxExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-40254?
How severe is CVE-2026-40254?
How do I fix CVE-2026-40254?
Are you affected by CVE-2026-40254?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST