Untriaged
Permalink
CVE-2026-57157
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Out-of-bounds read in the camera device enumerator server (rdpecam) via unterminated DeviceName / VirtualChannelName
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0, FreeRDP server implementations with the MS-RDPECAM camera device enumerator channel enabled scan attacker-supplied DeviceName and VirtualChannelName fields for a NUL terminator in channels/rdpecam/server/camera_device_enumerator_main.c and then dereference once past the scan bound, allowing a malicious RDP client to trigger a 1- to 2-byte out-of-bounds heap read. This issue is fixed in version 3.28.0.
References
-
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47fr-jw86-c3fj x_refsource_CONFIRM
-
https://github.com/FreeRDP/FreeRDP/pull/12930 x_refsource_MISC
-
https://github.com/FreeRDP/FreeRDP/pull/12945 x_refsource_MISC
-
https://github.com/FreeRDP/FreeRDP/releases/tag/3.28.0 x_refsource_MISC
Affected products
FreeRDP
- ==< 3.28.0
Package maintainers
-
@cizra Elmo Todurov <todurov+nix@gmail.com>
-
@DeimElias Deim Elias <deimelias@gmail.com>