Skip to main content

Freerdp CVE-2026-31883

| EUVDEUVD-2026-12061 MEDIUM
Integer Underflow (CWE-191)
2026-03-13 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.24.0
EUVD ID Assigned
Mar 13, 2026 - 18:00 euvd
EUVD-2026-12061
Analysis Generated
Mar 13, 2026 - 18:00 vuln.today
CVE Published
Mar 13, 2026 - 17:35 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.

AnalysisAI

Size_t integer underflow vulnerability in FreeRDP's IMA-ADPCM and MS-ADPCM audio decoders that triggers a heap buffer overflow write via the RDPSND audio channel. All FreeRDP versions prior to 3.24.0 are affected. An unauthenticated remote attacker can exploit this vulnerability over the network without user interaction to cause information disclosure and data corruption, though not denial of service based on the CVSS impact ratings.

Technical ContextAI

The vulnerability exists in libfreerdp/codec/dsp.c within the audio codec implementations for the Remote Desktop Protocol (RDP). Specifically, the IMA-ADPCM and MS-ADPCM decoders (used in RDP's RDPSND audio channel) perform arithmetic operations on a size_t variable without bounds checking. When a server sends a crafted nBlockAlign value such that size % block_size == 0, the code subtracts a header size (4 or 8 bytes) from size at a point where size is already smaller than the header. This causes an unsigned integer underflow (CWE-191), wrapping size to approximately SIZE_MAX (~18 exabytes on 64-bit systems). The subsequent while (size > 0) loop then executes for an astronomically large number of iterations, writing beyond allocated heap buffer boundaries. The root cause is the failure to validate that size >= header_size before performing the subtraction. This affects FreeRDP versions prior to 3.24.0 (CPE: cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* with version constraint < 3.24.0).

RemediationAI

Immediate remediation: Upgrade FreeRDP to version 3.24.0 or later. Organizations using FreeRDP < 3.24.0 should prioritize patching within a 30-day window given the network-accessible nature of the vulnerability. Temporary mitigations prior to patching: (1) Disable RDPSND audio channel if audio is not required (configure RDP client/server to exclude ADPCM codecs); (2) Implement network-level controls to restrict RDP connections to trusted servers only, reducing the attack surface from untrusted or potentially compromised RDP servers; (3) Run FreeRDP in sandboxed environments with restricted memory access to limit the impact of heap overflow. Patch availability confirmed via GitHub repository at https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a51f68fb1626429e58b531b7c8.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
openSUSE Leap 15.6 Fixed

Share

CVE-2026-31883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy