Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_recalloc(). This issue has been patched in version 3.24.2.
AnalysisAI
Heap-buffer-overflow in FreeRDP's winpr_aligned_offset_recalloc() function allows local attackers with no privileges but requiring user interaction to trigger high-severity information disclosure and denial of service in versions prior to 3.24.2. The vulnerability involves a READ operation at 24 bytes before heap allocation boundaries (CWE-125: Out-of-bounds Read). Vendor-released patch version 3.24.2 available via GitHub commit a48dbde2c8. EPSS data not provided; no public exploit identified at time of analysis. Affects all FreeRDP installations below 3.24.2, tracked across 7 Debian releases.
Technical ContextAI
This vulnerability affects the Windows Portable Runtime (WinPR) component of FreeRDP, specifically the winpr_aligned_offset_recalloc() memory management function. FreeRDP is an open-source implementation of Microsoft's Remote Desktop Protocol widely used for remote access on Linux, Unix, and embedded systems. The flaw represents a classic out-of-bounds read (CWE-125) where the function attempts to read heap memory 24 bytes before the legitimate allocation boundary. This occurs during memory reallocation operations, likely when handling alignment requirements for data structures. The vulnerability's local attack vector (AV:L) indicates exploitation requires local system access rather than network-based attacks, despite FreeRDP's network-facing purpose. The READ nature means attackers can extract sensitive information from adjacent heap memory regions rather than corrupt memory for code execution.
RemediationAI
Upgrade FreeRDP to version 3.24.2 or later, which contains the fix committed in GitHub commit a48dbde2c8a5b8b70a9d1c045d969a71afd6284c. System administrators should update via their distribution's package manager for Debian-based systems or compile from source using the patched release available at the official FreeRDP GitHub repository. The vendor security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jm9-2925-g4v2 provides additional context. For environments unable to immediately patch, temporary mitigations include restricting local user access to FreeRDP client execution, implementing application allowlisting to prevent unauthorized RDP client usage, and monitoring for unusual FreeRDP process crashes that could indicate exploitation attempts. No workaround eliminates the vulnerability; patching to 3.24.2 is the only complete remediation.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| jammy | DNE | - |
| noble | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.3.0+dfsg1-2+deb11u1 | - |
| bullseye (security) | vulnerable | 2.3.0+dfsg1-2+deb11u3 | - |
| bookworm | vulnerable | 2.11.7+dfsg1-6~deb12u1 | - |
| (unstable) | fixed | (unfixed) | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | vulnerable | 3.15.0+dfsg-2.1 | - |
| forky, sid | fixed | 3.24.2+dfsg-1 | - |
| (unstable) | fixed | 3.24.2+dfsg-1 | - |
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17225