CVE-2025-68118

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68118
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68118.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68118
Aliases
  • GHSA-h78c-5cjx-jw6x
Downstream
Published
2025-12-17T22:01:14.722Z
Modified
2026-01-04T05:42:31.378206Z
Severity
  • 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Potential Heap Out-of-Bounds Read in freerdp_certificate_data_hash_ via Unsafe _snprintf Usage
Details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function freerdp_certificate_data_hash_ uses the Microsoft-specific _snprintf function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, _snprintf does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-125"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68118.json"
}
References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type
GIT
Repo
https://github.com/freerdp/freerdp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b8e790a02ede8dd64ff7177fb9027d1844e66bb6

Affected versions

1.*
1.0-beta1
1.0-beta2
1.0-beta3
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9
2.*
2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-rc0
3.1.0
3.10.0
3.10.1
3.10.2
3.10.3
3.11.0
3.11.1
3.12.0
3.13.0
3.14.0
3.14.1
3.15.0
3.16.0
3.17.0
3.17.1
3.17.2
3.18.0
3.19.0
3.19.1
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.7.0
3.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68118.json"