wid-sec-w-2026-0880 · Published 2026-03-25 · View on BSI CERT-Bund ↗

FreeRDP: Multiple Vulnerabilities

CVSS 7.5 HIGH

Risk Summary

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefined behavior and an approximately 80 billion iteration loop (CPU DoS). This issue has been patched in version 3.24.2.

CVEs (9)

CVE-2026-33952 CVE-2026-33977 CVE-2026-33982 CVE-2026-33983 CVE-2026-33984 CVE-2026-33985 CVE-2026-33986 CVE-2026-33987 CVE-2026-33995

Affected Vendors

Fedora Open Source

Affected Products (2)

Open Source · FreeRDP <3.24.2

Open Source · FreeRDP 3.24.2

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more