CRITICAL🇵🇱 Wersja polska

CVE-2024-32658

CVSS 9.8v3.1pub. 2024-04-23upd. 2025-11-03

FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. Version 3.5.1 contains a patch for the issue. No known workarounds are available.

🤖 AI Analysis
How it works

The vulnerability, classified as CWE-125, involves the ability to read data outside the intended memory area during RDP protocol data processing. An attacker can provide specially crafted data to the FreeRDP client, causing unauthorized reading of the process memory. The attack vector is network-based and requires no privileges or user interaction on the victim's side.

Impact

An attacker can gain unauthorized access to sensitive data stored in the process memory, and in combination with other vulnerabilities, may lead to compromise of system integrity or availability.

Mitigation & patch

FreeRDP should be updated to version 3.5.1, which contains a patch that resolves the issue. The vendor does not indicate any known workarounds. For Fedora, package updates should be applied according to announcements published on Fedora mailing lists.

Who is affected

FreeRDP clients (Freerdp Freerdp) in versions prior to 3.5.1 and FreeRDP packages available in Fedora distributions (Fedoraproject Fedora).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fedora Project Fedora

    OS
    Fedoraproject
    383940
  • Freerdp

    APP
    Freerdp
    < 2.11.73.0.0 – 3.5.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML

CVE-2024-4947CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)

CVE-2024-4671CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox

CVE-2023-6345CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Integer overflow w Skia w Google Chrome — sandbox escape