CVE-2026-40254 MEDIUM

CVE-2026-40254: FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal ..

Vendor Freerdp
Product FreeRDP
Weakness CWE-193
Published April 24, 2026
Last update April 24, 2026

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated