{"id":"CVE-2020-13396","details":"An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c.","modified":"2026-04-11T22:58:13.888871Z","published":"2020-05-22T18:15:11.677Z","related":["ALSA-2020:4647","MGASA-2020-0297","SUSE-SU-2020:2032-1","SUSE-SU-2020:2068-1","SUSE-SU-2020:2272-1","openSUSE-SU-2020:1090-1","openSUSE-SU-2024:10768-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"16.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"18.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"19.10"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"20.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"10.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"15.1"}],"cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00080.html"},{"type":"ADVISORY","url":"https://github.com/FreeRDP/FreeRDP/commit/8fb6336a4072abcee8ce5bd6ae91104628c7bb69"},{"type":"ADVISORY","url":"https://github.com/FreeRDP/FreeRDP/compare/2.1.0...2.1.1"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00054.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4379-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4382-1/"},{"type":"FIX","url":"https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freerdp/freerdp","events":[{"introduced":"0"},{"fixed":"1923e63516c1182bd5e917aeac563431e8c5381a"},{"fixed":"48361c411e50826cb602c7aab773a8a20e1da6bc"},{"fixed":"8fb6336a4072abcee8ce5bd6ae91104628c7bb69"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2.1.1"}],"cpe":"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*"}}],"versions":["1.0-beta1","1.0-beta2","1.0-beta4","1.0-beta5","1.0.0","1.0.1","1.1.0-beta+2013071101","1.1.0-beta1","1.1.0-beta1+android2","1.1.0-beta1+android3","1.1.0-beta1+android4","1.1.0-beta1+android5","1.1.0-beta1+ios1","1.1.0-beta1+ios2","1.1.0-beta1+ios3","1.1.0-beta1+ios4","1.2.0-beta1+android7","1.2.0-beta1+android9","2.0.0","2.0.0-beta1+android10","2.0.0-beta1+android11","2.0.0-rc0","2.0.0-rc1","2.0.0-rc2","2.0.0-rc3","2.0.0-rc4","2.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13396.json","vanir_signatures":[{"signature_type":"Line","id":"CVE-2020-13396-0ee58b18","digest":{"threshold":0.9,"line_hashes":["76520381303793706354394905156980639001","282566849556074964205805592990203830151","2698456206615341861518141281162735263","336224440757755728172154181684934044262","284261491817822275984846553019646872461","174244900834914134481064781483553193622","25123155323745967112731675775873879837","148364140446082720606710342613023699548","329592443135845426657122755048216713889","92050099407558400304911403809018760521","219778130722162753086991176156569321635","125116767760870193408727759792769658146","88416154254472454682746949546237262074","79952438847140396587226509256224753217","121807398591422663603578373372885019896","253662455073028227159382901201324874617","123343054448212955456026968069702074263","85020857556450694534509256204783017162","255268007936620559016517340264197516878","108335059698860200798144054774198324742","253662455073028227159382901201324874617","240995267951714944486160611582135353152","291074483248729273453431999541330985308","129017258434056908024324606257422911030","70583760549871203164819784487145745882","253662455073028227159382901201324874617","287317102111360111191812340028500137571","78096176348979768258085483910943756995","189514320141550507647682763963431167914","263521197669050329772330980423265818807","253662455073028227159382901201324874617","125553016897872548207771638126188345197","221427188409031947289975677762055770763","48211495049074874002077796785519702699","51841942972102033420572675048580799302","227149694492067127439389869671648232881","25657475031488990629022805907062583020","253662455073028227159382901201324874617","236131924727105989770235627263969569172","404961262520880213896549041560818677","76520519321503052670336425612450828138","42182737805846986767588101573941834629","175267322124283822811329432679139428655","25657475031488990629022805907062583020","253662455073028227159382901201324874617","179969551482694339913226104554343424711","110823472763331360591313786754000110041","252595975412916820974593547068248951630","203616502083983596101483711872570850921","148032249025554410770411864522517842292","253662455073028227159382901201324874617","86259315868274478866129269715086657323","304449601009727400554869754590693330504","5769487755201660675613962178441835555","103252313546216007019505893436124695779","6528800998010061828632523047093720207","198293103083158085166393109051800837141","253662455073028227159382901201324874617","321450999058637810535222367808907282124","144054043621970048034713444083207762265","254459861314800345377836294395846988880","325477314746408175987086886507696388647","323817494117943062766276477142106828756","29830899257949064160324195422047496607","76658061156390856718071325176261237349","149674284592307821669701883019372276889","22403996456231067067373353180918568504","264765439589889091805463967585975883466","170315957829491235757955819577812241687","255215294974773659930854751842363868195","237216221709819711804293436047757821876","292953039882829041295606457345555572947","218766423504259947289900408253431671550","22403996456231067067373353180918568504","184447313844979918470961562939609686580","164618626292090153856976000591043055846","104526990048086803078362948849364608156","171221644522950278383225378516731773808","280886997198293342038796419464347791413","219289979057791117579204233858393480502","322937327511811249489781785390541257866","315896174128681262367343401928670534491","295644083560539443863928791112575506855","304841028687548304366317311638277229790","268214698980186406298142140306129214751","50740373022697109694620992539524500864","22403996456231067067373353180918568504","285490879323213147339368713077726501539","95436462363306011830873191765979715015","156027718641624427258416852038815979138","173432492318165356035225302545932184904","42395135299068077890231018357304392881","183564901653277209536945505928777561068","248821439445727256144157035414161211328","22403996456231067067373353180918568504","285796042501991946444159004307681763947","135815570073712181521374754386610406042","284216379088730192347659933499939622455","266197114402477364268695471994224603855","155404006809631617980518073615825954117","61220545607901056910946501117221981609","22403996456231067067373353180918568504","137446275411128756183703025870136031408","163013432576364131338761776619017607703","60032182530726175694029106914526931218","179876652548909961644942277693680262836","22403996456231067067373353180918568504","183277554081267176911287656947754279486","77451657823830781328797188815744328662","214214016723929973918295023957816395233","325604262791483187033109266344103980245","251949897614616272012089048062998320802","141530621083971726944693880189356676330","16807126797070448674878768397853130304","288094109949166151755610643723371366988","64629159380884632234461067962436319766"]},"deprecated":false,"target":{"file":"winpr/libwinpr/sspi/NTLM/ntlm_message.c"},"source":"https://github.com/freerdp/freerdp/commit/48361c411e50826cb602c7aab773a8a20e1da6bc","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2020-13396-aef42ce7","digest":{"length":5267,"function_hash":"125645356907423761258287778149584943230"},"deprecated":false,"target":{"file":"winpr/libwinpr/sspi/NTLM/ntlm_message.c","function":"ntlm_read_ChallengeMessage"},"source":"https://github.com/freerdp/freerdp/commit/48361c411e50826cb602c7aab773a8a20e1da6bc","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T22:58:13Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L"}]}