CVE-2026-33983
CPU DoS via Improper Shift in FreeRDP progressive_decompress_tile_upgrade
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.24.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-252 | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in FreeRDP, a free implementation of the Remote Desktop Protocol, in versions prior to 3.24.2. The function progressive_decompress_tile_upgrade() detects a mismatch using progressive_rfx_quant_cmp_equal() but only logs a warning (WLog_WARN) and continues execution. This leads to the use of a wrapped value (247) as a shift exponent, which causes undefined behavior and results in an extremely large loop of approximately 80 billion iterations, effectively causing a CPU denial of service (DoS).
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) condition by making the CPU execute an extremely large loop, consuming excessive processing resources. This can degrade system performance or make the affected system unresponsive, potentially disrupting remote desktop services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update FreeRDP to version 3.24.2 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in FreeRDP prior to version 3.24.2 causes a CPU denial of service (DoS) due to an infinite loop triggered by a wrapped value used as a shift exponent. This results in availability impact (A:H) but does not affect confidentiality or integrity.
Since the vulnerability does not lead to data breach, unauthorized access, or data modification, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal and health data.
However, the availability impact could indirectly affect compliance if the denial of service disrupts critical systems or services required to meet regulatory obligations for uptime and service continuity.