Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2.
Published: 2026-03-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Out‑of‑Bounds Write
Action: Patch Immediately
AI Analysis

Impact

A buffer dimension desynchronization occurs in the H.264 YUV processing routine of FreeRDP. During reallocations the width and height fields are updated before the memory allocation loop completes; if a memory allocation fails, the function exits early while the dimensions have already been inflated, resulting in a heap out‑of‑bounds write. This memory corruption can undermine integrity and, in certain contexts, may allow an attacker to execute arbitrary code. The weakness aligns with CWE‑122 and CWE‑131.

Affected Systems

FreeRDP implementations prior to version 3.24.2 are affected, including 3.24.1 and earlier releases. The vendor is FreeRDP.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The vulnerability is not listed in the CISA KEV catalog. It is inferred that a remote attacker who can initiate an RDP session may send a crafted YUV stream to trigger the fault. If successfully exploited, the attacker could corrupt the client or server memory, potentially leading to privilege escalation or remote code execution.

Generated by OpenCVE AI on March 31, 2026 at 06:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.24.2 or later
  • Ensure the installed FreeRDP version is 3.24.2 or newer

Generated by OpenCVE AI on March 31, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2.
Title FreeRDP: H.264 YUV Buffer Dimension Desync - Heap OOB Write
Weaknesses CWE-122
CWE-131
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:16.088Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33986

cve-icon Vulnrichment

Updated: 2026-03-31T14:04:57.711Z

cve-icon NVD

Status : Received

Published: 2026-03-30T22:16:19.870

Modified: 2026-03-30T22:16:19.870

Link: CVE-2026-33986

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T21:43:21Z

Links: CVE-2026-33986 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:54Z

Weaknesses