Vulnerability DatabaseCVE-2022-39320

CVE-2022-39320:
NixOS vulnerability analysis and mitigation

Overview

CVE-2022-39320 affects FreeRDP, a free remote desktop protocol library and clients. The vulnerability was discovered in versions prior to 2.9.0 and involves an integer addition issue on narrow types that leads to insufficient buffer allocation. This vulnerability was disclosed and addressed in version 2.9.0 (GitHub Advisory).

Technical details

The vulnerability stems from an integer addition operation performed on types that are too narrow, resulting in a buffer allocation that is too small for the data being written. The issue has been assigned a CVSS v3.1 base score of 4.6 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

Impact

A malicious server can exploit this vulnerability to trick a FreeRDP-based client into reading out-of-bounds data and sending it back to the server. This could potentially lead to information disclosure and denial of service conditions (GitHub Advisory, Ubuntu Security).

Mitigation and workarounds

Users are advised to upgrade to FreeRDP version 2.9.0 or later which contains the fix for this vulnerability. For users unable to upgrade immediately, the recommended workaround is to avoid using the /usb redirection switch (GitHub Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

4.6

Score

Published November 16, 2022

Severity MEDIUM

CNA Score 5.5

Affected Technologies

NixOS
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 10.9

Exploitation Probability (EPSS) N/A

Affected packages and libraries

freerdp-libs
freerdp-debuginfo

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: May 21, 2023
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: May 14, 2023
Alpine Security Tracker
- Alpine 3.13, 3.14, 3.15, 3.16 Severity MEDIUMHas FixAdded at: Dec 03, 2023
- Alpine 3.17 Severity MEDIUMHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity MEDIUMHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity MEDIUMHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity MEDIUMHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity MEDIUMHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity MEDIUMHas FixAdded at: Jun 01, 2025
- Alpine edge Severity MEDIUMHas FixAdded at: Jun 19, 2023
Debian Security Tracker
- Debian 10 Severity MEDIUMNo FixAdded at: Nov 18, 2022
- Debian 11, 12 Severity MEDIUMHas FixAdded at: Nov 18, 2022
Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Jan 14, 2024
Homebrew
- Homebrew Severity MEDIUMHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity MEDIUMHas FixAdded at: Nov 01, 2023
Red Hat Errata
- Red Hat 6, 7 Severity LOWNo FixAdded at: Nov 23, 2022
- Red Hat 8 Severity LOWHas FixAdded at: Nov 23, 2022
- Red Hat 9 Severity LOWHas FixAdded at: Nov 23, 2022
Ubuntu Security Tracker
- Ubuntu 18.04, 20.04, 22.04, 22.10 Severity LOWHas FixAdded at: Nov 22, 2022
- Ubuntu 23.04 Severity LOWHas FixAdded at: May 14, 2023
- Ubuntu 23.10 Severity LOWHas FixAdded at: Oct 31, 2023
- Ubuntu 24.04 Severity LOWHas FixAdded at: May 06, 2024
- Ubuntu 24.10 Severity LOWHas FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity LOWHas FixAdded at: May 08, 2025