NIXPKGS-2026-1270

GitHub issue published 1 month, 4 weeks ago

Permalink CVE-2026-40254

4.2 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 1 month, 4 weeks ago by @LeSuisse Activity log

Created suggestion 2 months ago
@LeSuisse accepted 1 month, 4 weeks ago
@LeSuisse published on GitHub 1 month, 4 weeks ago

FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal ..

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx x_refsource_CONFIRMexploit

Affected products

FreeRDP

==< 3.25.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.24.2
- nixpkgs-unstable 3.24.2
- nixos-unstable-small 3.24.2

Package maintainers

@DeimElias Deim Elias <deimelias@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1270

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers