VDB
DEBIAN-CVE-2026-33987
DEBIAN-CVE-2026-33987
PUBLISHED
CVSS 6.599999904632568 MEDIUM
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been patched in version 3.24.2.
Risk Scores
CVSS 3.1
6.599999904632568
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | freerdp2 | 2.11.7+dfsg1-6, 2.11.7+dfsg1, 2.11.7+dfsg1 |
| Debian:13 | freerdp3 | 3.17.2+dfsg-2, 3.17.1+dfsg-2, 3.17.0+dfsg-1 |
| Debian:11 | freerdp2 | *, 2.3.0+dfsg1-2+deb11u1, 2.3.0+dfsg1-2+deb11u2 |
| Debian:14 | freerdp3 | 3.24.2+dfsg, 3.24.1+dfsg, 3.24.0+dfsg |
Timeline
- Mar 30, 2026 CVE Published
- May 16, 2026 CVE Updated