CVE-2026-31883
Received Received - Intake
Heap Buffer Overflow in FreeRDP Audio Decoders via RDPSND Channel

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31883
EUVD
EUVD-2026-12061
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31883 is a vulnerability in FreeRDP's audio decoding components, specifically in the IMA-ADPCM and MS-ADPCM audio decoders. The issue arises because the code subtracts block header sizes from a size_t variable without checking if this subtraction causes an underflow. When the size is smaller than the header size, this subtraction wraps the size variable to a very large value, causing the decoding loop to run an excessive number of times."}, {'type': 'paragraph', 'content': 'This leads to a heap-buffer-overflow write via the RDPSND audio channel, as decoded audio samples are written to the output buffer without proper capacity checks. The vulnerability can be triggered remotely by a malicious RDP server sending specially crafted audio data, potentially causing crashes or enabling remote code execution.'}] [2]

Impact Analysis

This vulnerability can have serious impacts including remote code execution and denial of service. A malicious RDP server can exploit this flaw by sending crafted audio data that triggers a heap buffer overflow on the client side.

  • Remote code execution by corrupting heap metadata or adjacent objects.
  • Guaranteed denial of service (application crash) in both debug and release builds.
  • No user interaction or privileges are required for exploitation, making it a network-exploitable vulnerability.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring FreeRDP client versions and network traffic for malicious RDPSND audio channel data that exploits the size_t underflow in the ADPCM audio decoders.

Specifically, detection involves identifying FreeRDP clients running versions prior to 3.24.0 and analyzing RDP sessions for unusual or malformed audio format parameters, such as manipulated nBlockAlign values in Server Audio Formats PDUs.

While no explicit detection commands are provided in the resources, network administrators can use packet capture tools (e.g., tcpdump or Wireshark) to filter and inspect RDP traffic on port 3389 for RDPSND channel messages with suspicious audio format parameters.

  • Use tcpdump to capture RDP traffic: tcpdump -i <interface> port 3389 -w rdp_capture.pcap
  • Analyze captured traffic in Wireshark, filtering for RDPSND audio channel PDUs and inspect nBlockAlign values for abnormal sizes.
  • Check FreeRDP client version on systems: freerdp --version or check package manager versions to identify vulnerable versions prior to 3.24.0.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade FreeRDP clients to version 3.24.0 or later, where this vulnerability has been fixed by adding strict bounds and size checks in the ADPCM audio decoders.

If upgrading is not immediately possible, consider disabling or restricting the use of the RDPSND audio channel in FreeRDP clients to prevent processing of potentially malicious audio data.

Additionally, network-level controls such as firewall rules or RDP gateway policies can be used to limit or inspect RDP traffic to reduce exposure to malicious servers sending crafted audio data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31883. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart