Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been patched in version 3.24.2.
AnalysisAI
Heap buffer overflow in FreeRDP's persistent bitmap cache handling allows local attackers to corrupt memory integrity and crash the RDP client. Affecting all versions prior to 3.24.2, the vulnerability (CWE-122) occurs when memory reallocation fails but the buffer size variable is prematurely updated, creating a size/pointer mismatch. EPSS data not available, but marked medium priority by Ubuntu. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub Security Advisory.
Technical ContextAI
FreeRDP is an open-source implementation of Microsoft's Remote Desktop Protocol (RDP), widely used for remote desktop connectivity across platforms. The vulnerability resides in libfreerdp/cache/persistent.c within the persistent_cache_read_entry_v3() function, which handles persistent bitmap caching to optimize RDP session performance. The flaw is a classic heap buffer overflow (CWE-122) stemming from improper synchronization between buffer size tracking and memory allocation. Specifically, the code updates the persistent->bmpSize variable before calling winpr_aligned_recalloc() to resize persistent->bmpData. If realloc() fails due to memory exhaustion or other conditions, bmpSize reflects the intended larger size while bmpData still points to the original smaller buffer. Subsequent operations using the inflated bmpSize on the undersized buffer can write beyond allocated heap boundaries, corrupting adjacent memory structures. This represents a Time-of-Check-Time-of-Use (TOCTOU) style error in resource management during cache deserialization.
RemediationAI
Upgrade to FreeRDP version 3.24.2 or later, which contains the complete fix for the heap buffer overflow via commit 1a890eb43492b5eb707cb3dd6fc908f696e8fc1c. The patch corrects the order of operations in persistent_cache_read_entry_v3() to ensure bmpSize is only updated after successful memory reallocation, eliminating the size/pointer desynchronization. For Linux distributions, apply vendor-provided security updates through standard package managers (apt, yum, dnf) as Ubuntu and Debian maintainers release patched packages for tracked releases. Organizations unable to immediately upgrade should implement defense-in-depth controls: restrict RDP client usage to trusted connection sources only, disable persistent bitmap caching if operationally feasible via FreeRDP configuration options, and deploy endpoint detection solutions to monitor for abnormal RDP client behavior or crashes. Review and sanitize any RDP connection files (.rdp) from untrusted sources before use. System administrators should audit environments for applications embedding vulnerable libfreerdp versions and coordinate updates with application vendors. Full technical details and patch available at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc and commit reference https://github.com/FreeRDP/FreeRDP/commit/1a890eb43492b5eb707cb3dd6fc908f696e8fc1c.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| jammy | DNE | - |
| noble | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.3.0+dfsg1-2+deb11u1 | - |
| bullseye (security) | vulnerable | 2.3.0+dfsg1-2+deb11u3 | - |
| bookworm | vulnerable | 2.11.7+dfsg1-6~deb12u1 | - |
| (unstable) | fixed | (unfixed) | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | vulnerable | 3.15.0+dfsg-2.1 | - |
| forky, sid | fixed | 3.24.2+dfsg-1 | - |
| (unstable) | fixed | 3.24.2+dfsg-1 | - |
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17235