NIXPKGS-2026-1270

GitHub issue published on

Permalink CVE-2026-40254

4.2 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 8 hours ago
@LeSuisse ignored reference https://g… 3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal ..

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.