CVE-2021-41160
HIGH8.8EPSS 0.11%freerdp2 - security update
Published: 10/21/2021Modified: 3/9/2026
Also known as:DEBIAN-CVE-2021-41160DEBIAN-CVE-2022-24883DEBIAN-CVE-2022-39282DEBIAN-CVE-2022-39283DEBIAN-CVE-2022-39318DEBIAN-CVE-2022-39319DEBIAN-CVE-2022-39347DEBIAN-CVE-2022-41877DEBIAN-CVE-2023-39350DEBIAN-CVE-2023-39351DEBIAN-CVE-2023-39352DEBIAN-CVE-2023-39353DEBIAN-CVE-2023-39354DEBIAN-CVE-2023-39356DEBIAN-CVE-2023-40181DEBIAN-CVE-2023-40186DEBIAN-CVE-2023-40188DEBIAN-CVE-2023-40567DEBIAN-CVE-2023-40569DEBIAN-CVE-2023-40589DEBIAN-CVE-2024-22211DEBIAN-CVE-2024-32039DEBIAN-CVE-2024-32040DEBIAN-CVE-2024-32041DEBIAN-CVE-2024-32459DEBIAN-CVE-2024-32460DEBIAN-CVE-2024-32658DEBIAN-CVE-2024-32659DEBIAN-CVE-2024-32660DLA-4053-1
Description
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.
Affected packages (3)
- Debian/freerdp2from 0, < 2.3.0+dfsg1-2+deb11u2
- Debian/freerdp2from 0, < 2.3.0+dfsg1-2+deb10u4
- Debian/freerdp2from 0, < 2.3.0+dfsg1-2+deb11u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |