VDB
DEBIAN-CVE-2026-33984
DEBIAN-CVE-2026-33984
PUBLISHED
CVSS 7.5 HIGH
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | freerdp2 | 2.3.0+dfsg1, 2.3.0+dfsg1, 2.3.0+dfsg1 |
| Debian:14 | freerdp3 | 3.22.0+dfsg, 3.16.0+dfsg-1, 3.16.0+dfsg-2 |
| Debian:12 | freerdp2 | 2.11.7+dfsg1, 2.11.7+dfsg1, 2.11.7+dfsg1 |
| Debian:13 | freerdp3 | 3.15.0+dfsg-2.1, 3.16.0+dfsg-1, 3.17.0+dfsg-1 |
Timeline
- Mar 30, 2026 CVE Published
- May 16, 2026 CVE Updated