What are the recent security vulnerabilities addressed in FreeRDP by the Ubuntu security team?

The Ubuntu security team has addressed multiple vulnerabilities in FreeRDP, including CVE-2024-22211, CVE-2024-32039, CVE-2024-32041, CVE-2024-32040, CVE-2024-32458, CVE-2024-32460, CVE-2024-32459, CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, and CVE-2024-32661. These vulnerabilities pose risks of denial of service attacks and arbitrary code execution.

What is CVE-2024-22211 and how does it impact FreeRDP?

CVE-2024-22211 (CVSS score 9.8) involves improper handling of context resets in FreeRDP. It allows attackers to crash FreeRDP or execute arbitrary code by tricking users into connecting to a malicious server via methods such as phishing, fake websites, or malvertising.

What are the risks associated with CVE-2024-32039?

CVE-2024-32039 (CVSS score 9.8) is an integer overflow and out-of-bounds write issue that can lead to FreeRDP crashing and possibly allowing arbitrary code execution.

How does CVE-2024-32041 affect FreeRDP?

CVE-2024-32041 (CVSS score 9.8) involves out-of-bounds read vulnerabilities caused by incorrect memory operation handling. Exploitation through malicious server connections can cause FreeRDP to crash, leading to denial of service.

Advisory

Ubuntu Linux fixes several FreeRDP vulnerabilities, at least one critical

Q: What versions of FreeRDP are affected and what should users do?

The vulnerabilities affect FreeRDP versions before 3.5.1 on Ubuntu versions 23.10, 22.04 LTS, 20.04 LTS, and 24.04. Users should update their FreeRDP packages to the latest version to mitigate these vulnerabilities.

published: May 9, 2024

Take action: Hitting a malicious RDP server is not that probable, so this is not a panic mode update. But it's better to be safe than sorry - while the list of flaws seems huge, the patch is very simple and non-blocking. Just update your FreeRDP version, a fairly trivial update.

Learn More

The Ubuntu security team has recently addressed multiple security vulnerabilities in FreeRDP, a Remote Desktop Protocol (RDP) client commonly used for Windows Terminal Services.

These vulnerabilities pose a risk of denial of service attacks and execution of arbitrary code:

CVE-2024-22211 (CVSS score 9.8) - involves improper handling of context resets. It allows attackers to crash FreeRDP or execute arbitrary code by tricking users into connecting to a malicious server via methods such as phishing, fake websites, or malvertising.
CVE-2024-32039 (CVSS score 9.8) - an integer overflow and out-of-bounds write issue, that can lead to FreeRDP crashing and possibly allowing arbitrary code execution.
CVE-2024-32041 (CVSS score 9.8) out-of-bounds read vulnerabilities caused by incorrect memory operation handling. Exploitation through malicious server connections can cause FreeRDP to crash, leading to denial of service.
CVE-2024-32040 (CVSS score 7.5) - an integer overflow vulnerability that can lead to FreeRDP crashing and possibly allowing arbitrary code execution.
CVE-2024-32458 (CVSS score 9.8) out-of-bounds read vulnerabilities caused by incorrect memory operation handling. Exploitation through malicious server connections can cause FreeRDP to crash, leading to denial of service.
CVE-2024-32460 (CVSS score 8.1) out-of-bounds read vulnerabilities caused by incorrect memory operation handling. Exploitation through malicious server connections can cause FreeRDP to crash, leading to denial of service.
CVE-2024-32459 (CVSS score 9.8) out-of-bounds read vulnerability, it can crash both clients and servers, resulting in denial of service scenarios when exploited by remote attackers.
CVE-2024-32658 (CVSS score 9.8) out-of-bounds read vulnerability
CVE-2024-32659 (CVSS score 9.8) out-of-bounds read vulnerability
CVE-2024-32660 (CVSS score 7.5) a malicious server can crash the FreeRDP client by sending invalid huge allocation size
CVE-2024-32661 (CVSS score 7.5) vulnerable to a possible `NULL` access and crash

These vulnerabilities have been fixed in FreeRDP versions before 3.5.1 on Ubuntu versions 23.10, 22.04 LTS, 20.04 LTS, and 24.04. Users should update their FreeRDP packages to the latest version.

Ubuntu Linux fixes several FreeRDP vulnerabilities, at least one critical

Read More
Adobe releases April 2025 patches for multiple products
Adobe fixes vulnerability exploited by hackers in Acrobat …
VLC Player warns of flaw allowing hackers to …
Adobe releases October 2025 patches for multiple products
FreeBSD reports critical vulnerability in the kernel