Unrated severityNVD Advisory· Published Oct 21, 2021· Updated Nov 3, 2025
Improper region checks in FreeRDP allow out of bound write to memory
CVE-2021-41160
Description
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send 0 width/height or out of bound rectangles to trigger out of bound writes. With 0 width or heigth the memory allocation will be 0 but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
11- osv-coords9 versionspkg:rpm/almalinux/freerdppkg:rpm/almalinux/freerdp-develpkg:rpm/almalinux/freerdp-libspkg:rpm/almalinux/libwinprpkg:rpm/almalinux/libwinpr-develpkg:rpm/opensuse/freerdp2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/freerdp&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/freerdp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/freerdp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP4
< 2:2.2.0-7.el8_5+ 8 more
- (no CPE)range: < 2:2.2.0-7.el8_5
- (no CPE)range: < 2:2.2.0-7.el8_5
- (no CPE)range: < 2:2.2.0-7.el8_5
- (no CPE)range: < 2:2.2.0-7.el8_5
- (no CPE)range: < 2:2.2.0-7.el8_5
- (no CPE)range: < 2.4.1-1.1
- (no CPE)range: < 2.4.0-150400.3.6.1
- (no CPE)range: < 2.4.0-150400.3.6.1
- (no CPE)range: < 2.4.0-150400.3.6.1
Patches
Vulnerability mechanics
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWJXQOWKNR7O5HM2HFJOM4GBUFPTE3RG/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WIZUPVRGCWUDAPDOQVUGUIYUO7UWKMXX/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXCR73EDVPLI6TRWRAWJCJ7OBYDKBB74/mitrevendor-advisory
- security.gentoo.org/glsa/202210-24mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/11/msg00010.htmlmitremailing-list
- github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qgmitre
News mentions
0No linked articles in our index yet.