Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash with SIGABRT. This is a pre-authentication denial of service affecting all FreeRDP clients using RPC-over-HTTP gateway transport. The assertion is active in default release builds (WITH_VERBOSE_WINPR_ASSERT=ON). This issue has been patched in version 3.24.2.
AnalysisAI
FreeRDP clients before version 3.24.2 crash with SIGABRT when connecting through a malicious RDP Gateway due to an unvalidated auth_length field triggering a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(). This pre-authentication denial of service affects all FreeRDP clients using RPC-over-HTTP gateway transport, regardless of user authentication status. The vulnerability has been patched in version 3.24.2.
Technical ContextAI
FreeRDP implements the Remote Desktop Protocol (RDP) for remote desktop client functionality. The vulnerability exists in the RPC-over-HTTP gateway transport layer, specifically in the auth_verifier parsing code path (rts_read_auth_verifier_no_checks()). The root cause is a lack of validation on the auth_length field read from untrusted network data before it is processed. CWE-617 (Reachable Assertion) indicates that an assertion statement (WINPR_ASSERT) is reachable by an attacker-controlled code path. This assertion is enabled by default in release builds when WITH_VERBOSE_WINPR_ASSERT=ON, causing the entire FreeRDP process to abort immediately rather than gracefully handling the malformed input. The affected CPE pattern cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* indicates all FreeRDP application versions before the patch are vulnerable.
RemediationAI
Vendor-released patch: FreeRDP version 3.24.2 or later. Users should upgrade FreeRDP to version 3.24.2 or any subsequent release to fix the auth_length validation issue. For systems unable to immediately upgrade, organizations should restrict RDP Gateway traffic from untrusted sources and ensure FreeRDP clients only connect through verified, trusted gateways. Debian and Ubuntu users should check their respective package repositories for updated FreeRDP versions and apply system updates. Detailed patch information and security advisory are available at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4v4p-9v5x-hc93 and the upstream commit at https://github.com/FreeRDP/FreeRDP/commit/4ac0b6467d371a1ad47c1f751c5b305e4c068adb.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| jammy | DNE | - |
| noble | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.3.0+dfsg1-2+deb11u1 | - |
| bullseye (security) | vulnerable | 2.3.0+dfsg1-2+deb11u3 | - |
| bookworm | vulnerable | 2.11.7+dfsg1-6~deb12u1 | - |
| (unstable) | fixed | (unfixed) | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | vulnerable | 3.15.0+dfsg-2.1 | - |
| forky, sid | fixed | 3.24.2+dfsg-1 | - |
| (unstable) | fixed | 3.24.2+dfsg-1 | - |
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17221