Skip to main content

Freerdp CVE-2026-33983

| EUVDEUVD-2026-17227 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-03-30 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 22:15 euvd
EUVD-2026-17227
Analysis Generated
Mar 30, 2026 - 22:15 vuln.today
CVE Published
Mar 30, 2026 - 21:42 nvd
MEDIUM 6.5

DescriptionCVE.org

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefined behavior and an approximately 80 billion iteration loop (CPU DoS). This issue has been patched in version 3.24.2.

AnalysisAI

FreeRDP versions prior to 3.24.2 contain an integer overflow vulnerability in the progressive_decompress_tile_upgrade() function that allows unauthenticated remote attackers to cause a denial of service through CPU exhaustion. When processing malformed Remote Desktop Protocol (RDP) streams, a wrapped integer value (247) is incorrectly used as a bit-shift exponent, triggering undefined behavior and creating an approximately 80 billion iteration loop that consumes CPU resources. The vulnerability requires user interaction (UI:R) to trigger, and no public exploit code has been identified at the time of analysis.

Technical ContextAI

FreeRDP is a free, open-source implementation of the Microsoft Remote Desktop Protocol (RDP) used for remote desktop access and virtualization. The vulnerability exists in the progressive RFX (RemoteFX) tile decompression logic, specifically in the progressive_decompress_tile_upgrade() function. When processing progressive-encoded tiles, the code calls progressive_rfx_quant_cmp_equal() to detect quantization mismatches in the RFX codec data. However, if a mismatch is detected, the function only issues a WLog_WARN warning and continues execution instead of handling the error condition properly. This allows a subsequent operation to use an invalid wrapped integer value (247) as a bit-shift exponent in a bitwise operation, which according to the C standard produces undefined behavior. On most architectures, this results in an excessively large loop iteration count (approximately 80 billion cycles), causing severe CPU consumption. The root cause is classified under CWE-190 (Integer Overflow or Wraparound), combined with improper error handling when quantization validation fails.

RemediationAI

Upgrade FreeRDP to version 3.24.2 or later, which contains the fix referenced in GitHub commit 78188ab479c8e6eb9ba2475b3732c76b4bbe5425. Ubuntu users should check security advisories for their specific releases and apply updates from the security repository (priority=medium per Ubuntu tracker). Debian users should update through the stable-security or testing repositories as packages become available (7 releases tracked). Users unable to patch immediately should restrict RDP access to trusted networks, disable RDP services if not required, or implement firewall rules to limit RDP port (3389/TCP) exposure. For client-side usage, avoid connecting to RDP servers from untrusted sources until the patch is deployed.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

Ubuntu

Priority: Medium
freerdp
Release Status Version
xenial needs-triage -
bionic needs-triage -
jammy DNE -
noble DNE -
questing DNE -
upstream needs-triage -
freerdp2
Release Status Version
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing DNE -
upstream needs-triage -
freerdp3
Release Status Version
jammy DNE -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

freerdp2
Release Status Fixed Version Urgency
bullseye vulnerable 2.3.0+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 2.3.0+dfsg1-2+deb11u3 -
bookworm vulnerable 2.11.7+dfsg1-6~deb12u1 -
(unstable) fixed (unfixed) -
freerdp3
Release Status Fixed Version Urgency
trixie vulnerable 3.15.0+dfsg-2.1 -
forky, sid fixed 3.24.2+dfsg-1 -
(unstable) fixed 3.24.2+dfsg-1 -

SUSE

Severity: Medium
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-33983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy