VDB
DEBIAN-CVE-2026-33952
DEBIAN-CVE-2026-33952
PUBLISHED
CVSS 6.5 MEDIUM
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash with SIGABRT. This is a pre-authentication denial of service affecting all FreeRDP clients using RPC-over-HTTP gateway transport. The assertion is active in default release builds (WITH_VERBOSE_WINPR_ASSERT=ON). This issue has been patched in version 3.24.2.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | freerdp3 | 0, 3.16.0+dfsg-1, 3.16.0+dfsg-2 |
| Debian:11 | freerdp2 | *, *, 2.11.2+dfsg1-1.1~exp1 |
| Debian:13 | freerdp3 | 3.16.0+dfsg-2, 3.17.2+dfsg-2, 3.17.2+dfsg-3 |
| Debian:12 | freerdp2 | 2.11.2+dfsg1-1.1~exp1, 2.11.2+dfsg1-1.1~exp2, 2.11.5+dfsg1-1 |
Timeline
- Mar 30, 2026 CVE Published
- May 16, 2026 CVE Updated