CVE-2026-31885
Out-of-Bounds Read in FreeRDP ADPCM Decoders Causes Crash
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.24.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31885 is an out-of-bounds read vulnerability in the FreeRDP project's ADPCM audio decoders, specifically in the MS-ADPCM and IMA-ADPCM decoding implementations in versions up to 3.23.0."}, {'type': 'paragraph', 'content': 'The issue occurs because predictor and step_index values extracted from input audio data are not properly validated before being used as array indices. For MS-ADPCM, a predictor byte can index beyond the bounds of two 7-element coefficient arrays, and for IMA-ADPCM, a step_index value can be used before clamping, causing an out-of-bounds read in a step size table.'}, {'type': 'paragraph', 'content': 'This leads to invalid memory reads from adjacent global data, potentially leaking sensitive information or causing crashes.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can be exploited remotely by sending specially crafted audio data over the Remote Desktop Protocol's sound channel (RDPSND)."}, {'type': 'paragraph', 'content': 'The impacts include:'}, {'type': 'list_item', 'content': 'Information disclosure by leaking adjacent global data from the static data section.'}, {'type': 'list_item', 'content': 'Potential denial of service (DoS) due to crashes if out-of-bounds reads cross memory page boundaries.'}, {'type': 'list_item', 'content': 'No privileges are required to exploit this vulnerability, and user interaction is minimal, making remote exploitation feasible.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for anomalous or crafted Server Audio Formats and Wave2 PDUs containing malicious ADPCM audio data sent over the RDPSND channel, which triggers out-of-bounds reads in FreeRDP's ADPCM decoders."}, {'type': 'paragraph', 'content': 'A practical detection method involves running FreeRDP with debugging tools such as AddressSanitizer (ASan) to detect global-buffer-overflow errors during decoding, as demonstrated by the proof of concept that triggers the MS-ADPCM predictor out-of-bounds read.'}, {'type': 'paragraph', 'content': 'While no specific network commands are provided, you can use packet capture tools like tcpdump or Wireshark to filter and analyze RDPSND channel traffic for suspicious or malformed audio data packets.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.24.0 or later, where proper bounds checks on predictor and step_index values have been implemented to fix this vulnerability.
Until the upgrade can be applied, consider restricting or monitoring RDPSND channel traffic to prevent the reception of crafted ADPCM audio data that could exploit this flaw.