Cyber Resilience

CVE-2026-31883

MediumPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0032 23.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-31883 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31883 is a size_t underflow vulnerability in the IMA-ADPCM and MS-ADPCM audio decoders of FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.24.0. Located in libfreerdp/codec/dsp.c, the decoders subtract block header sizes (4 or 8 bytes) from a size_t variable without underflow checks. When a server-supplied nBlockAlign value causes size % block_size == 0 with size smaller than the header, the subtraction wraps size to approximately SIZE_MAX, triggering an astronomically long while (size > 0) loop and leading to a heap-buffer-overflow write via the RDPSND audio channel. It is associated with CWEs-122 (heap-based buffer overflow) and CWE-191 (integer underflow).

The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope with low confidentiality and integrity impacts but no availability impact. Remote unauthenticated attackers can exploit FreeRDP clients by acting as RDP servers and sending crafted audio data over the RDPSND channel, potentially enabling partial information disclosure or modification through the resulting buffer overflow.

FreeRDP addresses the issue in version 3.24.0. The GitHub security advisory GHSA-85x9-4xxp-xhm5 and fixing commit 16df2300e1e3f5a51f68fb1626429e58b531b7c8 detail the patch, which practitioners should apply by upgrading affected clients.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract…

more

block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Vulnerability in FreeRDP client audio decoders is directly triggered by a malicious RDP server supplying crafted RDPSND data, enabling remote code execution on the client without user interaction or privileges; this precisely matches T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23530Same product: Freerdp Freerdp
CVE-2026-23532Same product: Freerdp Freerdp
CVE-2026-23531Same product: Freerdp Freerdp
CVE-2026-44421Same product: Freerdp Freerdp
CVE-2026-23533Same product: Freerdp Freerdp
CVE-2026-22854Same product: Freerdp Freerdp
CVE-2026-31806Same product: Freerdp Freerdp
CVE-2026-40033Same product: Freerdp Freerdp
CVE-2026-23534Same product: Freerdp Freerdp
CVE-2026-33986Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (FreeRDP 3.24.0) that adds the missing size_t underflow checks in dsp.c.

prevent

Mandates validation of untrusted input (server-supplied nBlockAlign and ADPCM block data on RDPSND) before arithmetic or buffer operations.

prevent

Allows disabling the RDPSND audio channel entirely when not required, eliminating the attack surface for the ADPCM decoder path.

References