wid-sec-w-2026-0725 · Published 2026-03-12 · View on BSI CERT-Bund ↗

FreeRDP: Multiple Vulnerabilities

CVSS 9.3 CRITICAL

Risk Summary

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.

CVEs (8)

CVE-2026-29774 CVE-2026-29775 CVE-2026-29776 CVE-2026-31806 CVE-2026-31883 CVE-2026-31884 CVE-2026-31885 CVE-2026-31897

Affected Vendors

Amazon Fedora Open Source Oracle RESF Red Hat SUSE

Affected Products (2)

Open Source · FreeRDP <3.24.0

Open Source · FreeRDP 3.24.0

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more