LiveActive security incident?Get immediate response
CVE Record

CVE-2021-41160: Improper region checks in FreeRDP allow out of bound write to memory

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2021-41160 affects FreeRDP clients before 2.4.1. A malicious or compromised RDP server can send malformed graphics updates that make the client write outside allocated memory. The main business risk is integrity impact on endpoints using vulnerable FreeRDP to connect to RDP servers.

Executive priority

Treat as a targeted client-side risk, not an internet-facing server emergency. Prioritize patching systems that use FreeRDP for administration, remote support, or connections to third-party RDP environments.

Technical view

FreeRDP lacks sufficient region bounds checks for GDI or SurfaceCommands graphics updates. Zero width or height and out-of-bounds rectangles can lead to zero allocation followed by out-of-bounds writes. The issue is CWE-787 and is patched in FreeRDP 2.4.1.

Likely exposure

Exposure is most likely on Linux or Unix-like endpoints, jump hosts, or automation environments running FreeRDP versions earlier than 2.4.1. Risk increases when users connect to untrusted, attacker-controlled, or compromised RDP servers.

Exploitation context

The provided sources do not report active exploitation, and the CVE is not marked KEV. Exploitation requires a malicious server interacting with a vulnerable FreeRDP client and sending malformed graphics update data.

Researcher notes

Focus validation on FreeRDP client code paths handling GDI and SurfaceCommands graphics updates. The advisory describes missing bounds checks around zero-size and out-of-bounds rectangles. Do not assume code execution from the provided sources; they support out-of-bounds write and integrity impact.

Mitigation direction

  • Upgrade FreeRDP to 2.4.1 or a distro package containing the fix.
  • Apply relevant Fedora, Gentoo, Debian, or vendor security updates.
  • Avoid using vulnerable FreeRDP clients with untrusted RDP servers.
  • Remove or disable FreeRDP clients where no business need exists.
  • Check current vendor guidance for supported fixed package versions.

Validation and detection

  • Inventory systems with FreeRDP or freerdp2 installed.
  • Confirm installed versions are 2.4.1 or vendor-fixed builds.
  • Review whether users connect to external or untrusted RDP servers.
  • Check package update history for relevant security advisories.
  • Validate vulnerability scanner findings against package backport notes.
Prepared
Confidence
high
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-787: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-41160 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
8Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N0.84Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2021-41160Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
FreeRDPFreeRDP< 2.4.1Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-787 · source CWE mapping

Out-of-bounds Write

Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.