Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2.
Published: 2026-03-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap out-of-bounds write
Action: Apply Patch
AI Analysis

Impact

FreeRDP versions before 3.24.2 contain a flaw in the H.264 decoding routine. In yuv_ensure_buffer() the decoder updates the stream width and height before allocating the YUV data buffer. If a call to winpr_aligned_recalloc() fails, the function returns FALSE but the width/height values have already been inflated. This causes the buffer allocation logic to run with values larger than the allocated memory, resulting in a heap out-of-bounds write.

Affected Systems

The vulnerability affects FreeRDP releases prior to 3.24.2, specifically the H.264 decoding module of the client. Users running these versions are exposed to the described buffer overflow.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity, while the EPSS score of less than 1% and the absence from the CISA KEV catalog suggest a relatively low likelihood of exploitation in the wild. The likely attack vector, inferred from the description, is an attacker sending a malicious or malformed H.264 stream within a Remote Desktop session that triggers the allocation failure and results in memory corruption, which could impact data integrity and availability.

Generated by OpenCVE AI on April 2, 2026 at 04:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.24.2 or later to apply the fix.
  • If an upgrade is not feasible, disable H.264 support in the client or server configuration to mitigate the risk.

Generated by OpenCVE AI on April 2, 2026 at 04:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2.
Title FreeRDP: H.264 YUV Buffer Dimension Desync - Heap OOB Write
Weaknesses CWE-122
CWE-131
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:16.088Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33986

cve-icon Vulnrichment

Updated: 2026-03-31T14:04:57.711Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T22:16:19.870

Modified: 2026-04-01T19:48:32.787

Link: CVE-2026-33986

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T21:43:21Z

Links: CVE-2026-33986 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:53:50Z

Weaknesses