CVE-2026-31883

MEDIUM 6.5

FreeRDP has a `size_t` underflow in ADPCM decoder leads to heap-buffer-overflow write

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.

CWE	CWE-191 CWE-122
Vendor	freerdp
Product	freerdp
Published	Mar 13, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for freerdp freerdp

Be the first to know when new medium vulnerabilities affecting freerdp freerdp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

FreeRDP / FreeRDP

< 3.24.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-85x9-4xxp-xhm5 github.com: https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a51f68fb1626429e58b531b7c8