CVE-2026-33987 - Vulnerability Details

- FreeRDP: Persistent Cache bmpSize Desync - Heap OOB Write

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been patched in version 3.24.2.

Published: 2026-03-30

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in FreeRDP’s persistent cache component. When a cache entry is read, the bmpSize counter is advanced before a safe reallocation is performed. If that reallocation fails, bmpSize becomes inflated while the data pointer still references a smaller buffer, so subsequent writes overrun the heap. This is a classic heap buffer overflow (CWE‑122) and also involves an incorrect buffer size calculation (CWE‑131). The result is unpredictable memory corruption that can cause application crashes or, in the worst case, allow an attacker to overwrite sensitive data if the attacker can influence the cache entry data.

Affected Systems

All builds of the FreeRDP client and library released before version 3.24.2 are affected. This includes the core libfreerdp/cache/persistent.c file used by any FreeRDP installation that enables persistent caching. The patch was introduced in the 3.24.2 release, so any installation of 3.24.2 or later is considered safe.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity. The EPSS probability is below 1%, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, an attacker would need to supply a crafted RDP session that causes the persistent cache read to trigger a failed reallocation. This could be achieved by connecting to a malicious RDP server that deliberately sends malformed cache data, which is the most probable exploit scenario inferred from the nature of the bug.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeRDP

affected

Version	Status	Constraints
`< 3.24.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Freerdp

100%

Version	Status	Scheme	Platform
`[0,3.24.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify the installed FreeRDP version, and if it is older than 3.24.2, plan an upgrade.
Apply the FreeRDP 3.24.2 or later patch which corrects the reallocation logic.
If an upgrade cannot be performed immediately, avoid connections to unknown or untrusted RDP servers and monitor vendor advisories for updates.

Generated by OpenCVE AI on April 2, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FreeRDP/FreeRDP/commit/1a890eb43492b5eb707cb3dd6fc908f696e8fc1c
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc
https://nvd.nist.gov/vuln/detail/CVE-2026-33987
https://www.cve.org/CVERecord?id=CVE-2026-33987

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:freerdp:freerdp::::::::
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33987 https://www.cve.org/CVERecord?id=CVE-2026-33987
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freerdp Freerdp freerdp
Vendors & Products		Freerdp Freerdp freerdp

Tue, 31 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been patched in version 3.24.2.
Title		FreeRDP: Persistent Cache bmpSize Desync - Heap OOB Write
Weaknesses		CWE-122 CWE-131
References		https://github.com/FreeRDP/FreeRDP/commit/1a890eb43492b5eb707cb3dd6fc908f696e8fc1c https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-30T21:43:39.943Z

Updated: 2026-03-31T15:32:44.898Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33987

Vulnrichment

Updated: 2026-03-31T15:32:40.584Z

NVD

Status : Analyzed

Published: 2026-03-30T22:16:20.017

Modified: 2026-04-01T18:44:43.633

Link: CVE-2026-33987

Redhat

Severity : Moderate

Publid Date: 2026-03-30T21:43:39Z

Links: CVE-2026-33987 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T07:53:48Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object