CVE-2025-68118
December 17, 2025
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function "freerdp_certificate_data_hash_ uses" the Microsoft-specific "_snprintf" function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, "_snprintf" does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.
Affected Packages
https://github.com/FreeRDP/FreeRDP.git (GITHUB):
Affected version(s) >=1.0-beta1 <3.20.0Fix Suggestion:
Update to version 3.20.0Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Out-of-bounds Read
EPSS
Base Score:
0.05
