Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort via SIGABRT. This affects any FreeRDP client that has audio redirection (RDPSND) enabled, which is the default configuration. This issue has been patched in version 3.24.2.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via client crash
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is located in the IMA ADPCM audio decoder used by the FreeRDP client. When a Remote Desktop Protocol server sends audio data that contains an invalid initial step index value of 89 or greater, the decoder reads this value directly from the network and uses it to index into a fixed 89-entry lookup table. Because the value is not validated, a lookup beyond the bounds of the table triggers a WINPR_ASSERT failure, which causes the client process to abort with a SIGABRT signal. This results in a denial of service for the affected client, interrupting remote desktop sessions.

Affected Systems

All installations of FreeRDP that have audio redirection (RDPSND) enabled are vulnerable. Audio redirection is enabled by default, so any FreeRDP client running a version earlier than 3.24.2 will crash when it receives a specially crafted IMA ADPCM audio packet from a malicious RDP server. The flaw applies to all platforms that run FreeRDP, regardless of operating system.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The vulnerability is network accessible, as it requires only a RDP server that can send crafted audio data to the client. While the EPSS score is not available and the flaw is not listed in CISA’s KEV catalog, a remote attacker who controls the server can force the client to crash by sending an audio packet with an out‑of‑range step index. The impact is limited to service disruption for the affected client; there is no direct impact on the remote server or on data confidentiality or integrity.

Generated by OpenCVE AI on March 31, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.24.2 or later where the check is fixed.
  • If an upgrade cannot be performed immediately, disable RDPSND audio redirection in the client configuration.
  • Monitor for anomalous RDP traffic or configure network filtering to block potentially malicious audio packets.

Generated by OpenCVE AI on March 31, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Weaknesses CWE-1285
Vendors & Products Freerdp
Freerdp freerdp
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort via SIGABRT. This affects any FreeRDP client that has audio redirection (RDPSND) enabled, which is the default configuration. This issue has been patched in version 3.24.2.
Title FreeRDP: DoS via WINPR_ASSERT in IMA ADPCM audio decoder (dsp.c:331)
Weaknesses CWE-617
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:29.001Z

Reserved: 2026-03-24T22:20:06.210Z

Link: CVE-2026-33977

cve-icon Vulnrichment

Updated: 2026-03-31T19:06:03.417Z

cve-icon NVD

Status : Received

Published: 2026-03-30T22:16:19.117

Modified: 2026-03-31T20:16:27.917

Link: CVE-2026-33977

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T21:41:36Z

Links: CVE-2026-33977 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:59Z

Weaknesses