CVE-2026-33984
Modified Modified - Updated After Analysis

Heap Buffer Overflow in FreeRDP clear.c Causes Memory Corruption

Vulnerability report for CVE-2026-33984, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-30

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-30
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-03-31
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.24.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FreeRDP, a free implementation of the Remote Desktop Protocol, in versions prior to 3.24.2. The issue occurs in the function resize_vbar_entry() within the file libfreerdp/codec/clear.c. Specifically, the size field of a vBarEntry structure is updated before a memory reallocation call (winpr_aligned_recalloc). If this reallocation fails, the size remains inflated while the pixel buffer still points to the smaller, original memory area. On subsequent calls where the count is less than or equal to this inflated size, the reallocation is skipped, leading to a situation where attacker-controlled pixel data is written beyond the bounds of the allocated buffer. This causes a heap buffer overflow.

Impact Analysis

The heap buffer overflow caused by this vulnerability can lead to serious security impacts. According to the CVSS score of 7.5, it has high severity with potential consequences including confidentiality, integrity, and availability impacts. An attacker could exploit this flaw to execute arbitrary code, cause a denial of service, or corrupt memory, potentially compromising the affected system.

Mitigation Strategies

The vulnerability has been patched in FreeRDP version 3.24.2. To mitigate this vulnerability, you should update FreeRDP to version 3.24.2 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart