Skip to main content

Red Hat EUVDEUVD-2026-17223

| CVE-2026-33977 MEDIUM
Reachable Assertion (CWE-617)
2026-03-30 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ubuntu
MEDIUM
qualitative
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 22:15 euvd
EUVD-2026-17223
Analysis Generated
Mar 30, 2026 - 22:15 vuln.today
CVE Published
Mar 30, 2026 - 21:41 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort via SIGABRT. This affects any FreeRDP client that has audio redirection (RDPSND) enabled, which is the default configuration. This issue has been patched in version 3.24.2.

AnalysisAI

Denial of service in FreeRDP prior to version 3.24.2 allows remote attackers to crash the client via a malicious RDP server sending IMA ADPCM audio data with an invalid step index value (≥89). The unvalidated network-supplied index causes an out-of-bounds access into an 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort. This affects all FreeRDP clients with audio redirection enabled (the default configuration), requiring user interaction to establish an RDP connection but no authentication. No public exploit code identified at time of analysis.

Technical ContextAI

FreeRDP implements Remote Desktop Protocol (RDP) audio redirection (RDPSND channel) with support for IMA ADPCM codec decoding. IMA ADPCM (Interactive Multimedia Association Adaptive Differential Pulse-Code Modulation) uses a step index value to quantize audio samples during decompression. The vulnerability exists in the audio codec handler that processes IMA ADPCM frames from untrusted RDP server sources. CWE-617 (Reachable Assertion) identifies the root cause: a WINPR_ASSERT() macro is triggered when the step index value, read directly from network data without validation, exceeds the bounds of a 89-entry lookup table used for codec state. This is fundamentally a missing input validation issue in the audio decompression pipeline that processes adversary-controlled data.

RemediationAI

Vendor-released patch: FreeRDP version 3.24.2 or later. Organizations should immediately upgrade FreeRDP clients to version 3.24.2 or later through standard package managers (apt for Debian/Ubuntu, or equivalent for other distributions). As a temporary workaround pending patching, disable audio redirection in FreeRDP client configuration (set audio redirection to off in connection settings or configuration files) to prevent processing of malicious audio data, though this sacrifices audio functionality. For details, refer to the GitHub security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8f2g-3q27-6xm5 and the upstream commit at https://github.com/FreeRDP/FreeRDP/commit/9be3f03d94a50892fd58a9f7dee72b2313c69b47.

Vendor StatusVendor

Ubuntu

Priority: Medium
freerdp
Release Status Version
xenial needs-triage -
bionic needs-triage -
jammy DNE -
noble DNE -
questing DNE -
upstream needs-triage -
freerdp2
Release Status Version
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing DNE -
upstream needs-triage -
freerdp3
Release Status Version
jammy DNE -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

freerdp2
Release Status Fixed Version Urgency
bullseye vulnerable 2.3.0+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 2.3.0+dfsg1-2+deb11u3 -
bookworm vulnerable 2.11.7+dfsg1-6~deb12u1 -
(unstable) fixed (unfixed) -
freerdp3
Release Status Fixed Version Urgency
trixie vulnerable 3.15.0+dfsg-2.1 -
forky, sid fixed 3.24.2+dfsg-1 -
(unstable) fixed 3.24.2+dfsg-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-17223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy