Your submission was sent successfully! Close

CVE-2022-39316

Published: 17 November 2022

FreeRDP is a free remote desktop protocol library and clients. In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. This issue has been addressed in the 2.9.0 release. Users are advised to upgrade.

Notes

AuthorNote
mdeslaur
malicious server could cause client to crash
Priority

Low

CVSS 3 base score: 5.7

Status

Package Release Status
freerdp
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Ignored
(out of standard support)
upstream Not vulnerable

xenial Not vulnerable

freerdp2
Launchpad, Ubuntu, Debian
bionic
Released (2.2.0+dfsg1-0ubuntu0.18.04.4)
focal
Released (2.2.0+dfsg1-0ubuntu0.20.04.4)
jammy
Released (2.6.1+dfsg1-3ubuntu2.3)
kinetic
Released (2.8.1+dfsg1-0ubuntu1.1)
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
Patches:
upstream: https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0