Medium severity4.2NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-40254

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in channels/drive/client/drive_file.c. The contains_dotdot() function catches ../ and ..\ mid-path but misses .. when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.

Affected products

Freerdp/Freerdp
cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Range: <3.25.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmxnvdExploitMitigationVendor Advisory

News mentions

CVE-2025-68670: discovering an RCE vulnerability in xrdp
Securelist · May 8, 2026

cvss	0.273
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000