PT-2026-25336 · Freerdp+1 · Freerdp+1

Yjk0805

·

Publicado

2026-01-01

·

Atualizado

2026-05-12

·

CVE-2026-31883

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.24.0
Description FreeRDP is a free implementation of the Remote Desktop Protocol. A size t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to a heap-buffer-overflow write via the RDPSND audio channel. The issue occurs in libfreerdp/codec/dsp.c where the decoders subtract block header sizes from a size t variable without checking for underflow. Specifically, when nBlockAlign (received from the server) is set in a way that triggers header parsing at a point where the size is smaller than the header (4 or 8 bytes), the subtraction wraps the size to a large value. This causes the while (size > 0) loop to iterate excessively.
Recommendations Update to version 3.24.0 or later.

Exploit

Correção

Integer Underflow

Heap Based Buffer Overflow

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-191CWE-122

Identificadores relacionados

ALSA-2026:16014
ALSA-2026:16019
ALSA-2026:16482
BDU:2026-04142
CVE-2026-31883
GHSA-85X9-4XXP-XHM5
MGASA-2026-0086
OESA-2026-2036
OESA-2026-2037
OESA-2026-2038
OESA-2026-2039
OESA-2026-2040
OPENSUSE-SU-2026:10408-1
OPENSUSE-SU-2026:10459-1
OPENSUSE-SU-2026:20632-1
OPENSUSE-SU-2026:20657-1
SUSE-SU-2026:1129-1
SUSE-SU-2026:1160-1
SUSE-SU-2026:1164-1
SUSE-SU-2026:1165-1
SUSE-SU-2026:1398-1
SUSE-SU-2026:21436-1

Produtos afetados

Freerdp
Rocky Linux