VDB

DEBIAN-CVE-2026-33952

DEBIAN-CVE-2026-33952 PUBLISHED CVSS 6.5 MEDIUM

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash with SIGABRT. This is a pre-authentication denial of service affecting all FreeRDP clients using RPC-over-HTTP gateway transport. The assertion is active in default release builds (WITH_VERBOSE_WINPR_ASSERT=ON). This issue has been patched in version 3.24.2.

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:14freerdp30, 3.16.0+dfsg-1, 3.16.0+dfsg-2
Debian:11freerdp2*, *, 2.11.2+dfsg1-1.1~exp1
Debian:13freerdp33.16.0+dfsg-2, 3.17.2+dfsg-2, 3.17.2+dfsg-3
Debian:12freerdp22.11.2+dfsg1-1.1~exp1, 2.11.2+dfsg1-1.1~exp2, 2.11.5+dfsg1-1

Timeline

  • Mar 30, 2026 CVE Published
  • May 16, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›