Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
Published: 2026-03-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow exists in the ClearCodec component of FreeRDP, triggered when the resize_vbar_entry function incorrectly updates an internal pixel buffer size before reallocating memory. If the realloc fails, the buffer size is inflated while the pixel data pointer still references the original, smaller memory block. Subsequent writes of attacker‑controlled pixel data then overflow this undersized buffer, corrupting heap memory. This flaw corresponds to unresolved memory corruption weaknesses (CWE‑122) and inflated array size errors (CWE‑131). The overflow can potentially allow an attacker to execute arbitrary code on a host running a vulnerable instance of FreeRDP, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects the FreeRDP project’s FreeRDP library. Versions prior to 3.24.2 are susceptible; the issue was remediated in 3.24.2 and later releases. All deployments that utilize the affected FreeRDP component—whether as a client or server—are at risk if they have not applied the patch.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no documented exploitation. Attackers would most likely target an RDP session where the vulnerable FreeRDP instance processes image data; the exploit requires the attacker to supply carefully crafted pixel data and may need elevated privileges if host restrictions are in place. Given the high potential impact, organizations should treat the flaw as significant even though the expected exploitation likelihood remains low.

Generated by OpenCVE AI on April 2, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.24.2 or later.

Generated by OpenCVE AI on April 2, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
Title FreeRDP: ClearCodec resize_vbar_entry() Heap OOB Write
Weaknesses CWE-122
CWE-131
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T12:57:14.482Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33984

cve-icon Vulnrichment

Updated: 2026-04-02T12:57:11.179Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T22:16:19.567

Modified: 2026-04-01T20:02:05.927

Link: CVE-2026-33984

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T21:42:57Z

Links: CVE-2026-33984 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:53:52Z

Weaknesses