CVE-2026-31884
Division by Zero Crash in FreeRDP ADPCM Audio Decoders
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31884 is a vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol. The issue occurs in the MS-ADPCM and IMA-ADPCM audio decoders when the audio format parameter nBlockAlign is set to 0. This parameter is used in a modulo operation during decoding, and since zero is not validated, it causes a division-by-zero error leading to a crash (SIGFPE). The vulnerability arises because the nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel and is not checked before use.
This flaw allows an attacker to cause the FreeRDP client to crash by sending malformed audio format data with nBlockAlign set to zero. The problem was fixed in FreeRDP version 3.24.0 by adding strict validation checks to ensure nBlockAlign and other audio format parameters are valid before decoding.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition by crashing the FreeRDP client. Since the crash is caused by a division-by-zero error triggered during audio format negotiation, an attacker can remotely cause the client to terminate unexpectedly.
No special privileges or user interaction are required to exploit this vulnerability. The attack vector is network-based via the RDPSND channel, meaning an attacker can send malicious audio format data to trigger the crash.
The impact is limited to availability, as there is no confidentiality or integrity loss associated with this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring FreeRDP audio format negotiation on the RDPSND channel for invalid audio format parameters, specifically when the nBlockAlign field is set to 0 in the Server Audio Formats PDU.'}, {'type': 'paragraph', 'content': 'A practical approach is to capture and analyze network traffic to identify RDPSND channel packets containing audio format PDUs with nBlockAlign=0.'}, {'type': 'paragraph', 'content': 'For example, using Wireshark or tshark, you can filter for RDP sound channel packets and inspect the audio format fields.'}, {'type': 'list_item', 'content': 'Use tshark to capture and filter RDPSND packets: tshark -i <interface> -Y "rdp.channel == \'rdpsnd\'" -V'}, {'type': 'list_item', 'content': 'Inspect the Server Audio Formats PDU for nBlockAlign field values equal to 0.'}, {'type': 'paragraph', 'content': 'Additionally, on the system running FreeRDP, monitoring for crashes or SIGFPE signals in the FreeRDP process can indicate exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.24.0 or later, where the vulnerability is fixed by adding strict validation of audio format parameters, including ensuring nBlockAlign is not zero before decoding.
If upgrading is not immediately possible, consider implementing network-level controls to block or monitor RDPSND channel traffic that contains malformed audio format PDUs with nBlockAlign=0.
Additionally, monitor FreeRDP client logs and system logs for crashes related to floating point exceptions (SIGFPE) which may indicate attempts to exploit this vulnerability.