CVE-2026-31883

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.24.0

Description FreeRDP is a free implementation of the Remote Desktop Protocol. A size t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to a heap-buffer-overflow write via the RDPSND audio channel. The issue occurs in libfreerdp/codec/dsp.c where the decoders subtract block header sizes from a size t variable without checking for underflow. Specifically, when nBlockAlign (received from the server) is set in a way that triggers header parsing at a point where the size is smaller than the header (4 or 8 bytes), the subtraction wraps the size to a large value. This causes the while (size > 0) loop to iterate excessively.

Recommendations Update to version 3.24.0 or later.