Ret2Ldz

**Name of the Vulnerable Software and Affected Versions** FreeRDP versions prior to 3.20.0 **Description** FreeRDP is a free implementation of the Remote Desktop Protocol. A flaw exists in the certificate handling code on Windows platforms. The `freerdp certificate data hash` function utilizes the ` snprintf` function to format certificate cache filenames without ensuring NUL termination when truncation happens. Microsoft documentation indicates that ` snprintf` doesn't add a terminating NUL byte if the output exceeds the buffer size. An attacker controlling the hostname value, potentially through server redirection or a crafted .rdp file, could cause the filename buffer to lack NUL termination. Subsequent string operations on this buffer may lead to a heap-based out-of-bounds read. While the connection usually terminates before sensitive data is exposed, a client crash or unintended memory read may occur. **Recommendations** Update to version 3.20.0 or later.