CVE-2021-41160 MEDIUM

CVE-2021-41160: Improper region checks in FreeRDP allow out of bound write to memory

Vendor Freerdp
Product FreeRDP
Weakness CWE-787
Published October 21, 2021
Last update November 3, 2025

CVSS base score

5.3/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.

Key dates

02Disclosure timeline

October 21, 2021 CVE published
November 3, 2025 Record updated