CVE-2026-33983
Received Received - Intake
CPU DoS via Improper Shift in FreeRDP progressive_decompress_tile_upgrade

Publication date: 2026-03-30

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefined behavior and an approximately 80 billion iteration loop (CPU DoS). This issue has been patched in version 3.24.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33983
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.24.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in FreeRDP prior to version 3.24.2 causes a CPU denial of service (DoS) due to an infinite loop triggered by a wrapped value used as a shift exponent. This results in availability impact (A:H) but does not affect confidentiality or integrity.

Since the vulnerability does not lead to data breach, unauthorized access, or data modification, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal and health data.

However, the availability impact could indirectly affect compliance if the denial of service disrupts critical systems or services required to meet regulatory obligations for uptime and service continuity.

Executive Summary

This vulnerability exists in FreeRDP, a free implementation of the Remote Desktop Protocol, in versions prior to 3.24.2. The function progressive_decompress_tile_upgrade() detects a mismatch using progressive_rfx_quant_cmp_equal() but only logs a warning (WLog_WARN) and continues execution. This leads to the use of a wrapped value (247) as a shift exponent, which causes undefined behavior and results in an extremely large loop of approximately 80 billion iterations, effectively causing a CPU denial of service (DoS).

Impact Analysis

The vulnerability can cause a denial of service (DoS) condition by making the CPU execute an extremely large loop, consuming excessive processing resources. This can degrade system performance or make the affected system unresponsive, potentially disrupting remote desktop services.

Mitigation Strategies

To mitigate this vulnerability, update FreeRDP to version 3.24.2 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart