CVE-2026-31883
Heap Buffer Overflow in FreeRDP Audio Decoders via RDPSND Channel
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31883 is a vulnerability in FreeRDP's audio decoding components, specifically in the IMA-ADPCM and MS-ADPCM audio decoders. The issue arises because the code subtracts block header sizes from a size_t variable without checking if this subtraction causes an underflow. When the size is smaller than the header size, this subtraction wraps the size variable to a very large value, causing the decoding loop to run an excessive number of times."}, {'type': 'paragraph', 'content': 'This leads to a heap-buffer-overflow write via the RDPSND audio channel, as decoded audio samples are written to the output buffer without proper capacity checks. The vulnerability can be triggered remotely by a malicious RDP server sending specially crafted audio data, potentially causing crashes or enabling remote code execution.'}] [2]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including remote code execution and denial of service. A malicious RDP server can exploit this flaw by sending crafted audio data that triggers a heap buffer overflow on the client side.
- Remote code execution by corrupting heap metadata or adjacent objects.
- Guaranteed denial of service (application crash) in both debug and release builds.
- No user interaction or privileges are required for exploitation, making it a network-exploitable vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring FreeRDP client versions and network traffic for malicious RDPSND audio channel data that exploits the size_t underflow in the ADPCM audio decoders.
Specifically, detection involves identifying FreeRDP clients running versions prior to 3.24.0 and analyzing RDP sessions for unusual or malformed audio format parameters, such as manipulated nBlockAlign values in Server Audio Formats PDUs.
While no explicit detection commands are provided in the resources, network administrators can use packet capture tools (e.g., tcpdump or Wireshark) to filter and inspect RDP traffic on port 3389 for RDPSND channel messages with suspicious audio format parameters.
- Use tcpdump to capture RDP traffic: tcpdump -i <interface> port 3389 -w rdp_capture.pcap
- Analyze captured traffic in Wireshark, filtering for RDPSND audio channel PDUs and inspect nBlockAlign values for abnormal sizes.
- Check FreeRDP client version on systems: freerdp --version or check package manager versions to identify vulnerable versions prior to 3.24.0.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade FreeRDP clients to version 3.24.0 or later, where this vulnerability has been fixed by adding strict bounds and size checks in the ADPCM audio decoders.
If upgrading is not immediately possible, consider disabling or restricting the use of the RDPSND audio channel in FreeRDP clients to prevent processing of potentially malicious audio data.
Additionally, network-level controls such as firewall rules or RDP gateway policies can be used to limit or inspect RDP traffic to reduce exposure to malicious servers sending crafted audio data.