CVE-2021-41160

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 2.4.1

Description The issue is related to out of bound writes in a connected client. A malicious server might trigger this by sending 0 width/height or out of bound rectangles to the client using GDI or SurfaceCommands for graphics updates. This results in missing bounds checks, allowing writes to unallocated memory regions.

Recommendations For versions prior to 2.4.1, update to FreeRDP 2.4.1 to resolve the issue. As a temporary workaround, consider restricting access to GDI or SurfaceCommands until the update is applied. Avoid using connections with 0 width/height or out of bound rectangles in the affected API endpoints until the issue is resolved.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALSA-2021:4622

ALT-PU-2021-3098

ALT-PU-2021-3105

ALT-PU-2021-3106

ALT-PU-2021-3177

BDU:2022-05756

CESA-2021_4619

CESA-2021_4622

CVE-2021-41160

DLA-3654-1

DLA-4053-1

GHSA-7C9R-6R2Q-93QG

MGASA-2021-0522

OESA-2021-1424

OPENSUSE-SU-2022_2993-1

OPENSUSE-SU-2024:11591-1

RHSA-2021:4619

RHSA-2021:4620

RHSA-2021:4621

RHSA-2021:4622

RHSA-2021:4623

RHSA-2021_4619

RHSA-2021_4622

RLSA-2021:4622

SUSE-SU-2022:2993-1

USN-5154-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Freerdp

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2021-41160

Weakness Enumeration

Related Identifiers

Affected Products

References · 54