Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
Published: 2026-03-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders of FreeRDP, which results in a heap buffer overflow when audio data is received over the RDPSND channel. The underflow occurs during block header parsing when the size value becomes smaller than the header size, causing the subtraction to wrap around to a very large value. The loop then iterates an astronomical number of times, writing beyond the intended buffer. This heap corruption can lead to memory corruption, application crashes, or, in the worst case, arbitrary code execution, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The flaw affects all FreeRDP releases prior to version 3.24.0. The affected product is FreeRDP (cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*). Any deployment of these older releases that processes audio streams via the RDPSND channel is vulnerable.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity. EPSS is below 1%, suggesting exploit likelihood is low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a Remote Desktop Protocol session where the server sends crafted audio data over the RDPSND channel; the attacker can trigger the buffer overflow by manipulating the block alignment parameter. While the current exploit probability is low, vulnerable systems remain at risk of denial of service or potential code execution under suitable conditions.

Generated by OpenCVE AI on March 17, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply FreeRDP version 3.24.0 or later to eliminate the underflow.
  • If an immediate update is not possible, disable or block the RDPSND audio channel to prevent audio data from reaching the vulnerable decoder.
  • Verify that the system is running the patched version or has the audio channel disabled.
  • Monitor application logs for any signs of memory corruption or crashes.

Generated by OpenCVE AI on March 17, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Sat, 14 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 13 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
Title FreeRDP has a `size_t` underflow in ADPCM decoder leads to heap-buffer-overflow write
Weaknesses CWE-122
CWE-191
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T17:02:52.737Z

Reserved: 2026-03-09T21:59:02.686Z

Link: CVE-2026-31883

cve-icon Vulnrichment

Updated: 2026-03-16T17:02:44.300Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:37.190

Modified: 2026-03-17T14:26:13.760

Link: CVE-2026-31883

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-13T17:35:17Z

Links: CVE-2026-31883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:37Z

Weaknesses