CVE-2026-31883
Published: 13 March 2026
Summary
CVE-2026-31883 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in FreeRDP client audio decoders is directly triggered by a malicious RDP server supplying crafted RDPSND data, enabling remote code execution on the client without user interaction or privileges; this precisely matches T1203 Exploitation for Client Execution.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract…
more
block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
Deeper analysisAI
CVE-2026-31883 is a size_t underflow vulnerability in the IMA-ADPCM and MS-ADPCM audio decoders of FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.24.0. Located in libfreerdp/codec/dsp.c, the decoders subtract block header sizes (4 or 8 bytes) from a size_t variable without underflow checks. When a server-supplied nBlockAlign value causes size % block_size == 0 with size smaller than the header, the subtraction wraps size to approximately SIZE_MAX, triggering an astronomically long while (size > 0) loop and leading to a heap-buffer-overflow write via the RDPSND audio channel. It is associated with CWEs-122 (heap-based buffer overflow) and CWE-191 (integer underflow).
The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope with low confidentiality and integrity impacts but no availability impact. Remote unauthenticated attackers can exploit FreeRDP clients by acting as RDP servers and sending crafted audio data over the RDPSND channel, potentially enabling partial information disclosure or modification through the resulting buffer overflow.
FreeRDP addresses the issue in version 3.24.0. The GitHub security advisory GHSA-85x9-4xxp-xhm5 and fixing commit 16df2300e1e3f5a51f68fb1626429e58b531b7c8 detail the patch, which practitioners should apply by upgrading affected clients.
Details
- CWE(s)