DEBIAN-CVE-2026-33995

DEBIAN-CVE-2026-33995 PUBLISHED CVSS 5.300000190734863 MEDIUM

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a double-free vulnerability in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() (WinPR, winpr/libwinpr/sspi/Kerberos/kerberos.c) can cause a crash in any FreeRDP clients on systems where Kerberos and/or Kerberos U2U is configured (Samba AD member, or krb5 for NFS). The crash is triggered during NLA connection teardown and requires a failed authentication attempt. This issue has been patched in version 3.24.2.

Risk Scores

CVSS 3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products

Vendor	Product	Versions
Debian:12	freerdp2	0, 2.10.0+dfsg1, 2.10.0+dfsg1
Debian:11	freerdp2	2.11.2+dfsg1, 2.11.2+dfsg1, 2.10.0+dfsg1
Debian:13	freerdp3	3.15.0+dfsg, 0, 3.15.0+dfsg-2.1
Debian:14	freerdp3	3.24.0+dfsg-1, 3.23.0+dfsg-1~bpo13+1, 3.22.0+dfsg-3

Timeline

Mar 30, 2026 CVE Published
May 16, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-33995 advisory

Open in Interactive Console →