CVE-2026-40254
FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal ..
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.
CVSS Vector Breakdown
AV:NAttack VectorAC:HAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:UScopeC:LConfidentialityI:LIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
References
Timeline
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-40254 and every CVE in our database. Create a free account — no credit card required.
Create Free Account