Skip to main content

Freerdp CVE-2026-33986

| EUVDEUVD-2026-17233 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-30 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 22:15 euvd
EUVD-2026-17233
Analysis Generated
Mar 30, 2026 - 22:15 vuln.today
CVE Published
Mar 30, 2026 - 21:43 nvd
HIGH 7.5

DescriptionCVE.org

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2.

AnalysisAI

Heap buffer overflow in FreeRDP's H.264 YUV decoder (versions before 3.24.2) allows remote attackers to potentially achieve code execution via specially crafted RDP sessions. The vulnerability stems from premature dimension updates in yuv_ensure_buffer() that persist when memory reallocation fails, creating exploitable memory corruption conditions. Attack requires user interaction (connecting to malicious RDP server) and moderate complexity (CVSS AC:H). No public exploit identified at time of analysis, though CVSS 7.5 HIGH score reflects potential for complete system compromise (C:H/I:H/A:H).

Technical ContextAI

FreeRDP implements the Remote Desktop Protocol and includes codec libraries for media processing. The vulnerability resides in libfreerdp/codec/h264.c within the yuv_ensure_buffer() function, which handles YUV color space conversion for H.264 video streams in RDP sessions. The flaw is a classic CWE-122 heap-based buffer overflow caused by incorrect state management during dynamic memory allocation. The function updates h264->width and h264->height parameters before completing a loop of winpr_aligned_recalloc() calls. If any reallocation fails mid-loop, the function returns FALSE but leaves width/height values inflated beyond actual allocated buffer sizes. Subsequent operations using these inflated dimensions can write beyond heap buffer boundaries, enabling memory corruption. This represents a TOCTOU-style race between dimension updates and buffer allocation that violates error-handling invariants.

RemediationAI

Vendor-released patch: FreeRDP version 3.24.2 fully resolves this vulnerability. Upgrade immediately to version 3.24.2 or later from official distribution channels (https://github.com/FreeRDP/FreeRDP). The fix is implemented in commit f6e43e208958140074ae9bb93cd0c9045a371c77, which corrects the state management in yuv_ensure_buffer() to ensure width/height updates only persist after successful buffer reallocation. For Linux distributions, apply security updates through standard package managers as Ubuntu and Debian release patched versions. Organizations unable to immediately upgrade should restrict RDP client connections to only trusted, authenticated RDP servers and avoid connecting to unknown or third-party RDP endpoints until patching is complete. Network-level controls preventing outbound RDP connections to untrusted networks provide defense-in-depth. Consult the official security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97 for additional vendor guidance.

CVE-2026-25997 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth

CVE-2026-25953 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corrupti

CVE-2026-25952 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory cor

CVE-2026-25959 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers mem

CVE-2026-22857 CRITICAL POC
9.8 Jan 14

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fi

CVE-2026-22854 CRITICAL POC
9.8 Jan 14

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC avai

CVE-2026-22852 CRITICAL POC
9.8 Jan 14

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt m

CVE-2026-25955 CRITICAL POC
9.8 Feb 25

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and

CVE-2024-32041 CRITICAL POC
9.8 Apr 22

FreeRDP is a free implementation of the Remote Desktop Protocol. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2023-40574 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40569 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

CVE-2023-40567 CRITICAL POC
9.8 Aug 31

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Rated critical

Vendor StatusVendor

Ubuntu

Priority: Medium
freerdp
Release Status Version
xenial needs-triage -
bionic needs-triage -
jammy DNE -
noble DNE -
questing DNE -
upstream needs-triage -
freerdp2
Release Status Version
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing DNE -
upstream needs-triage -
freerdp3
Release Status Version
jammy DNE -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

freerdp2
Release Status Fixed Version Urgency
bullseye vulnerable 2.3.0+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 2.3.0+dfsg1-2+deb11u3 -
bookworm vulnerable 2.11.7+dfsg1-6~deb12u1 -
(unstable) fixed (unfixed) -
freerdp3
Release Status Fixed Version Urgency
trixie vulnerable 3.15.0+dfsg-2.1 -
forky, sid fixed 3.24.2+dfsg-1 -
(unstable) fixed 3.24.2+dfsg-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-33986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy