CVE-2026-57157
Wolfi Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-57157 is an out-of-bounds read vulnerability in FreeRDP's camera device enumerator server (rdpecam) channel, caused by unterminated DeviceName or VirtualChannelName fields. It affects FreeRDP versions up to and including 3.27.1, with the fix introduced in version 3.28.0. The vulnerable code was introduced on 2026-02-15 (commit 6db1965) and disclosed on 2026-07-06. It carries a CVSS v3.1 base score of 5.4 (Medium) per the GitHub advisory, though Feedly estimates the severity as HIGH (FreeRDP Advisory).

Técnicas

The root cause is CWE-125 (Out-of-bounds Read). Three handler functions in channels/rdpecam/server/camera_device_enumerator_main.c scan attacker-supplied name fields for a NUL terminator using a loop bounded by the remaining stream length, but then dereference the resulting pointer once more after the loop without re-checking the bound. When no NUL terminator exists within the remaining bytes, the post-loop dereference reads 1–2 bytes past the logical end of the message. The receive buffer is a 4096-byte heap allocation (Stream_New(NULL, 4096)); a message of exactly 4096 bytes causes the DeviceName scan to exit with the pointer at offset 4096 — one element past the allocation boundary. The vulnerability is exploitable by any connected RDP client against a FreeRDP-based server with camera redirection enabled (FreeRDP Advisory).

Impacto

A malicious RDP client can trigger a 1- to 2-byte out-of-bounds heap read on the server. If the read lands on an unmapped memory page (achievable by crafting a message that exactly fills the 4096-byte receive buffer), the server process crashes, resulting in denial of service. Direct information disclosure is limited because the read value is only used in a != 0 comparison; however, the attacker-triggerable out-of-bounds access represents a memory safety violation that could have further consequences depending on heap layout. Only FreeRDP-based server implementations with the [MS-RDPECAM] channel enabled are affected (FreeRDP Advisory).

Pasos de explotación

  1. Reconnaissance: Identify FreeRDP-based RDP servers (version ≤ 3.27.1) with camera redirection enabled, using network scanning tools such as Shodan or Nmap targeting RDP port 3389.
  2. Connect to the target: Establish an RDP client connection to the vulnerable server. If the server requires authentication before opening dynamic virtual channels, valid credentials are needed at this stage.
  3. Open the RDCamera_Device_Enumerator channel: Initiate the RDCamera_Device_Enumerator dynamic virtual channel from the client side.
  4. Craft the malicious message: Construct a message of exactly 4096 bytes total:
    • Byte 0: Version field
    • Byte 1: MessageId = 0x05 (CAM_MSG_ID_DeviceAddedNotification)
    • Bytes 2–4095: A DeviceName field containing no aligned 16-bit zero (e.g., repeating 0xA0 0xA1 bytes)
  5. Send the message: Transmit the crafted message over the virtual channel. The server reads 4096 bytes into its 4096-byte buffer without capacity growth, then scans the 4094-byte DeviceName region without finding a NUL WCHAR.
  6. Trigger OOB read: The post-loop dereference reads 2 bytes at offset 4096 (past the heap allocation). If this address is unmapped, the server process crashes (denial of service) (FreeRDP Advisory).

Indicadores de compromiso

  • Network: Unexpected or repeated RDP connections from unknown clients to servers with camera redirection enabled; RDP traffic containing dynamic virtual channel messages of exactly 4096 bytes on the RDCamera_Device_Enumerator channel.
  • Process: Unexpected crashes or restarts of the FreeRDP server process (freerdp-shadow or similar); crash dumps or core files generated by the FreeRDP server process.
  • Logs: Server-side RDP session logs showing connections that open the RDCamera_Device_Enumerator channel followed immediately by process termination; AddressSanitizer or OS-level segfault logs referencing camera_device_enumerator_main.c (FreeRDP Advisory).

Mitigación y soluciones alternativas

Upgrade FreeRDP to version 3.28.0 or later, which contains the fix for all three vulnerable handler instances. As a workaround, disable the [MS-RDPECAM] camera redirection channel on the server if camera functionality is not required. Administrators should also restrict RDP access to trusted clients and require authentication before dynamic virtual channel access where possible. The fix involves re-checking the loop bound before each post-loop dereference and treating the absence of a NUL terminator within bounds as an ERROR_INVALID_DATA condition (FreeRDP Advisory, Linuxiac).

Reacciones de la comunidad

The vulnerability was reported by security researcher Owais Lone and published by FreeRDP maintainer akallabeth via GitHub Security Advisories on 2026-07-06. Coverage appeared on Linuxiac in the context of the FreeRDP 3.28.0 release announcement, which highlighted the security fixes included in the update. Tenable published a Nessus plugin (ID 325546) for detection shortly after disclosure (FreeRDP Advisory, Linuxiac, Tenable).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Wolfi Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-57156HIGH8.6
  • Wolfi logoWolfi
  • freerdp
NoJul 10, 2026
CVE-2026-54174HIGH8.3
  • Wolfi logoWolfi
  • dagdotdev
NoJul 10, 2026
CVE-2026-57157MEDIUM6.5
  • Wolfi logoWolfi
  • freerdp3
NoNoJul 10, 2026
CVE-2026-57158MEDIUM5.1
  • Wolfi logoWolfi
  • libwinpr-devel
NoNoJul 10, 2026
CVE-2026-61874LOW2.3
  • Wolfi logoWolfi
  • filebrowser
NoJul 12, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades