Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
Published: 2026-03-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

FreeRDP implements the Remote Desktop Protocol and contains a heap out‑of‑bounds write in the ClearCodec resize_vbar_entry function. When the codec resizes a vBarEntry buffer, the size field is incorrectly set, causing an oversized count to be used when allocating memory. An attacker can send crafted pixel data that, after reallocation fails, writes past the end of the buffer, corrupting heap structures. This overflow can lead to arbitrary code execution or a denial of service in the client or server process.

Affected Systems

The flaw affects all releases of FreeRDP older than version 3.24.2. Any installation that compiles or links against these versions, regardless of operating system, is vulnerable.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity. Although the EPSS score is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, the flaw can be triggered remotely via malicious RDP traffic. No public exploit code is documented, but the heap corruption could be leveraged by a skilled attacker to take control of the process.

Generated by OpenCVE AI on March 31, 2026 at 06:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.24.2 or later.

Generated by OpenCVE AI on March 31, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
Title FreeRDP: ClearCodec resize_vbar_entry() Heap OOB Write
Weaknesses CWE-122
CWE-131
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T21:42:57.090Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33984

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T22:16:19.567

Modified: 2026-03-30T22:16:19.567

Link: CVE-2026-33984

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T21:42:57Z

Links: CVE-2026-33984 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:56Z

Weaknesses