Ehdgks0627

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0075 **Description** Vim, an open source command line text editor, contains a heap-based buffer underflow issue in its Emacs-style tags file parsing logic. When processing a malformed tags file containing a delimiter at the start of a line, Vim attempts to read memory before the allocated buffer. This can potentially lead to a denial-of-service condition. **Recommendations** Versions prior to 9.2.0075 should be updated to version 9.2.0075 or later.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0073 **Description** Vim is a command line text editor. A flaw exists in the `netrw` standard plugin bundled with Vim. An attacker can potentially execute arbitrary shell commands with the privileges of the Vim process by tricking a user into opening a specially crafted URL, such as one using the `scp://` protocol handler. The `netrw` plugin is vulnerable to OS command injection. **Recommendations** Versions prior to 9.2.0073 should be updated to version 9.2.0073 or later.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0078 **Description** Vim is an open source, command line text editor. A stack-based buffer overflow occurs in the `build stl str hl()` function when rendering a statusline with a multi-byte fill character on a very wide terminal. This can potentially impact the integrity of protected information. **Recommendations** Versions prior to 9.2.0078 should be updated to version 9.2.0078 or later.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0076 **Description** Vim is an open source, command line text editor. A heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. The issue relates to reading beyond the boundaries of a memory buffer. The `:terminal` component is affected. **Recommendations** Versions prior to 9.2.0076 should be updated to version 9.2.0076.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0077 **Description** Vim is an open-source, command-line text editor. Versions prior to 9.2.0077 contain a heap-buffer-overflow and a segmentation fault (SEGV) within the swap file recovery logic. These issues are triggered by unvalidated fields read from crafted pointer blocks within a swap file. **Recommendations** Versions prior to 9.2.0077 should be updated to version 9.2.0077 or later.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.2.0074 **Description** Vim, an open source command line text editor, has an issue where a heap-based buffer overflow out-of-bounds read can occur in the Emacs-style tags file parsing logic. Processing a specially crafted, malformed tags file can allow an attacker to read up to 7 bytes beyond the allocated memory boundary. The issue affects the availability of protected information. **Recommendations** Versions prior to 9.2.0074 should be updated to version 9.2.0074 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A heap use after free condition exists in the clipboard handling functionality. Specifically, the `xf clipboard format equal` function reads memory that has already been freed by `xf clipboard formats free` during auto-reconnect within the cliprdr channel thread, while the X11 event thread concurrently iterates over it in `xf clipboard changed`. This occurs because `xf clipboard formats free` frees the `lastSentFormats` array while another thread is still accessing it. **Recommendations** Update to version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A heap use-after-free condition exists in the clipboard channel due to improper memory management within the `xf cliprdr provide data ` function. Specifically, the function passes freed memory (`pDstData`) to `XChangeProperty`. This occurs because the cliprdr channel thread calls `xf cliprdr server format data response`, which processes clipboard data without appropriate locking, while the X11 event thread concurrently calls `xf cliprdr clear cached data` which frees the same data via `xf cached data free`. **Recommendations** Update to version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists in the `xf AppUpdateWindowFromSurface` function where it reads from a freed `xfAppWindow`. This occurs because the RDPGFX DVC thread obtains a bare pointer via `xf rail get window` without proper lifetime protection, while the main thread can concurrently delete the window. **Recommendations** Update to version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.20.1 **Description** A heap-buffer-overflow can occur in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound. This allows an oversized read to overwrite heap memory. **Recommendations** Update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists in the `xf AppUpdateWindowFromSurface` function where a cached `XImage`’s `data` pointer can reference a freed RDPGFX surface buffer. This occurs because `gdi DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. This can lead to a use-after-free condition. **Recommendations** Update to version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.20.1 **Description** A malicious RDP server can cause a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. The `audin process formats` function reuses the `callback->formats count` variable across multiple MSG SNDIN FORMATS Protocol Data Units (PDUs), leading to a write beyond the bounds of the newly allocated `formats` array and resulting in memory corruption and a crash. **Recommendations** Update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.20.1 **Description** FreeRDP, a free implementation of the Remote Desktop Protocol, contains a flaw due to a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread. This condition results in a heap use-after-free issue. Specifically, a pointer to `sdl->primary` (SDL Surface) is accessed after being freed during RDPGFX ResetGraphics handling. **Recommendations** Update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.24.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. The issue stems from unchecked pointer arithmetic when computing destination pointers using `rect->left`, potentially allowing writes beyond the allocated heap region. A malicious server can trigger this by sending a WIRE TO SURFACE PDU 1 with an AVC420 codec containing a `regionRects` entry where `left` exceeds the surface width. The vulnerable code is located in `yuv.c` within the `clamp()` function (line 347) and the `avc420 yuv to rgb` function (line 67). The `clamp()` function only validates top/bottom against the surface height, but does not check left/right against the surface width. **Recommendations** Update FreeRDP to version 3.24.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.24.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A client-side heap out-of-bounds read/write issue exists in FreeRDP's bitmap cache subsystem. This is due to an incorrect boundary check in the `bitmap cache put` function when handling a CACHE BITMAP ORDER (Rev1) message with a `cacheId` equal to `maxCells`. This allows a malicious server to bypass security checks and access memory outside the allocated array. **Recommendations** Update to version 3.24.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists where the `rail window free` function dereferences a freed `xfAppWindow` pointer during `HashTable Free` cleanup. This occurs because `xf rail window common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, resulting in a dangling pointer that is freed again on disconnect. **Recommendations** Update to version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists in the RAIL channel window management where the `xf rail server local move size` function dereferences a freed `xfAppWindow` pointer. This occurs because the `xf rail get window` function returns an unprotected pointer from the `railWindows` hash table, and the main thread can delete the window while the RAIL channel thread is still using the pointer. **Recommendations** Update to version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.20.1 **Description** FreeRDP, a free implementation of the Remote Desktop Protocol, contains a flaw in RDPEAR’s NDR array reader. The NDR array reader does not validate the element count, potentially leading to a heap buffer overflow when reading data. This occurs due to insufficient bounds checking when processing on-wire elements, allowing writes beyond the allocated heap buffer. The vulnerable component is the `ndr read uint8Array` function. **Recommendations** Update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. Versions before 3.23.0 contain a flaw where the `xf SetWindowMinMaxInfo` function improperly dereferences a freed `xfAppWindow` pointer. This occurs because the `xf rail get window` function, within `xf rail server min max info`, returns a pointer from the `railWindows` hash table without protection. Simultaneously, the main thread can delete the window, while the RAIL channel thread is still utilizing the pointer. **Recommendations** Update to version 3.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.23.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the function `xf rail server execute result` indexes the global `error code names[]` array with an unchecked value, `execResult->execResult`, received from the server. This allows for a read outside the bounds of the array when the server sends a value of 7 or greater for `execResult`. The `error code names[]` array has 7 elements, with valid indices ranging from 0 to 6. **Recommendations** Update to version 3.23.0 or later.