CVE-2026-31885
Received Received - Intake
Out-of-Bounds Read in FreeRDP ADPCM Decoders Causes Crash

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31885
EUVD
EUVD-2026-12063
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31885 is an out-of-bounds read vulnerability in the FreeRDP project's ADPCM audio decoders, specifically in the MS-ADPCM and IMA-ADPCM decoding implementations in versions up to 3.23.0."}, {'type': 'paragraph', 'content': 'The issue occurs because predictor and step_index values extracted from input audio data are not properly validated before being used as array indices. For MS-ADPCM, a predictor byte can index beyond the bounds of two 7-element coefficient arrays, and for IMA-ADPCM, a step_index value can be used before clamping, causing an out-of-bounds read in a step size table.'}, {'type': 'paragraph', 'content': 'This leads to invalid memory reads from adjacent global data, potentially leaking sensitive information or causing crashes.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can be exploited remotely by sending specially crafted audio data over the Remote Desktop Protocol's sound channel (RDPSND)."}, {'type': 'paragraph', 'content': 'The impacts include:'}, {'type': 'list_item', 'content': 'Information disclosure by leaking adjacent global data from the static data section.'}, {'type': 'list_item', 'content': 'Potential denial of service (DoS) due to crashes if out-of-bounds reads cross memory page boundaries.'}, {'type': 'list_item', 'content': 'No privileges are required to exploit this vulnerability, and user interaction is minimal, making remote exploitation feasible.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for anomalous or crafted Server Audio Formats and Wave2 PDUs containing malicious ADPCM audio data sent over the RDPSND channel, which triggers out-of-bounds reads in FreeRDP's ADPCM decoders."}, {'type': 'paragraph', 'content': 'A practical detection method involves running FreeRDP with debugging tools such as AddressSanitizer (ASan) to detect global-buffer-overflow errors during decoding, as demonstrated by the proof of concept that triggers the MS-ADPCM predictor out-of-bounds read.'}, {'type': 'paragraph', 'content': 'While no specific network commands are provided, you can use packet capture tools like tcpdump or Wireshark to filter and analyze RDPSND channel traffic for suspicious or malformed audio data packets.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade FreeRDP to version 3.24.0 or later, where proper bounds checks on predictor and step_index values have been implemented to fix this vulnerability.

Until the upgrade can be applied, consider restricting or monitoring RDPSND channel traffic to prevent the reception of crafted ADPCM audio data that could exploit this flaw.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart