PT-2026-25336 · Freerdp+1 · Freerdp+1

Yjk0805

Published

2026-01-01

Updated

2026-05-12

CVE-2026-31883

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.24.0

Description FreeRDP is a free implementation of the Remote Desktop Protocol. A size t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to a heap-buffer-overflow write via the RDPSND audio channel. The issue occurs in libfreerdp/codec/dsp.c where the decoders subtract block header sizes from a size t variable without checking for underflow. Specifically, when nBlockAlign (received from the server) is set in a way that triggers header parsing at a point where the size is smaller than the header (4 or 8 bytes), the subtraction wraps the size to a large value. This causes the while (size > 0) loop to iterate excessively.

Recommendations Update to version 3.24.0 or later.

Exploit

Fix

Integer Underflow

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-191CWE-122

Related Identifiers

ALSA-2026:16014

ALSA-2026:16019

ALSA-2026:16482

BDU:2026-04142

CVE-2026-31883

GHSA-85X9-4XXP-XHM5

MGASA-2026-0086

OESA-2026-2036

OESA-2026-2037

OESA-2026-2038

OESA-2026-2039

OESA-2026-2040

OPENSUSE-SU-2026:10408-1

OPENSUSE-SU-2026:10459-1

OPENSUSE-SU-2026:20632-1

OPENSUSE-SU-2026:20657-1

SUSE-SU-2026:1129-1

SUSE-SU-2026:1160-1

SUSE-SU-2026:1164-1

SUSE-SU-2026:1165-1

SUSE-SU-2026:1398-1

SUSE-SU-2026:21436-1

Affected Products

Freerdp

Rocky Linux

PT-2026-25336 · Freerdp+1 · Freerdp+1

CVE-2026-31883

Weakness Enumeration

Related Identifiers

Affected Products

References · 121