Vulnerability - CVE-2022-39317

›

›vulnerability›CVE-2022-39317

Name

CVE-2022-39317

Source

NVD ( link)Debian ( link)

Description

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. This issue has been addressed in version 2.9.0. There are no known workarounds for this issue.

CWEs

CWE-125 CWE-125

Published Date

Nov 16, 2022

Updated Date

Jun 17, 2026

Workaround

-

Advisories

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jhThird Party Advisory

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jhThird Party Advisory

Analysis#

Affected Component

Analysis

Vulnerability Ratings#

4.6

CVSSv31

4.6

CVSSv31

NaN

other

Others affected components#

Name

Project

Project Version

Version

Status

buildroot

2025.02.x

2.11.8

Not Affected

buildroot

master

2.11.8

Not Affected

yocto

master

2.11.8

Not Affected

yocto

master

3.26.0

Not Affected

yocto

scarthgap

2.11.8

Not Affected

yocto

scarthgap

3.4.0

Not Affected

Resolved with patches#

freerdp (yocto:kirkstone)

#

Title

Author

Resolve

1

Added missing length checks in zgfx_decompress_segment

akallabeth <akallabeth@posteo.net>

CVE-2022-39316

CVE-2022-39317