CVE-2022-39316 — Out-of-bounds Read in Freerdp

CWE-125 — Out-of-bounds Read6 documents5 sources

Severity

5.7MEDIUMNVD

OSV7.5

EPSS

0.2%

top 55.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freerdp Debian Freerdp2 Fedoraproject Fedora

Timeline

PublishedNov 16

Latest updateNov 22

Description

FreeRDP is a free remote desktop protocol library and clients. In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. This issue has been addressed in the 2.9.0 release. Users are advised to upgrade.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

▶NVDfreerdp/freerdp< 2.9.0

▶debiandebian/freerdp2< freerdp2 2.9.0+dfsg1-1 (bookworm)

Also affects: Fedora 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

freerdp2 vulnerabilities↗2022-11-22

▶

OSV

CVE-2022-39316: FreeRDP is a free remote desktop protocol library and clients↗2022-11-16

▶

📋Vendor Advisories

Ubuntu

FreeRDP vulnerabilities↗2022-11-22

▶

Red Hat

freerdp: out of bounds read in zgfx decoder↗2022-11-16

▶

Debian

CVE-2022-39316: freerdp2 - FreeRDP is a free remote desktop protocol library and clients. In affected versi...↗2022

▶