Cyber Resilience

CVE-2026-31884

MediumPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.0007 20.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31884 is a medium-severity Divide By Zero (CWE-369) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31884 is a division-by-zero vulnerability in the MS-ADPCM and IMA-ADPCM decoders of FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.24.0. The issue occurs in libfreerdp/codec/dsp.c when processing audio data from the Server Audio Formats PDU on the RDPSND channel. Specifically, the decoders perform a modulo operation using block_size derived from the unvalidated nBlockAlign field; if nBlockAlign is 0, this triggers a SIGFPE (floating-point exception), resulting in a crash. The vulnerability is classified under CWE-369 (Divide by Zero) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

A remote attacker can exploit this vulnerability over the network by tricking a user into connecting a FreeRDP client to a malicious RDP server. The attacker sends a crafted Server Audio Formats PDU with nBlockAlign set to 0, which propagates without validation to the decoder. No privileges are required on the attacker's part, but user interaction is needed to initiate the RDP connection. Successful exploitation causes a denial-of-service via client crash, with no impact on confidentiality or integrity.

The FreeRDP security advisory (GHSA-jp7m-94ww-p56r) and related commits detail the fix in version 3.24.0, which adds validation to prevent zero values from reaching the decoder. Security practitioners should upgrade FreeRDP clients to 3.24.0 or later; patch details are available in commits 03b48b3601d867afccac1cdc6081de7a275edce7 and 16df2300e1e3f5a51f68fb1626429e58b531b7c8 on the FreeRDP GitHub repository.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size…

more

= context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Division-by-zero in FreeRDP client decoder (triggered by malicious RDPSND PDU from server) directly enables application crash, matching T1499.004 Endpoint Denial of Service via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-24684Same product: Freerdp Freerdp
CVE-2026-24679Same product: Freerdp Freerdp
CVE-2026-25942Same product: Freerdp Freerdp
CVE-2026-26986Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-29775Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of nBlockAlign received in the Server Audio Formats PDU before it reaches the ADPCM decoders, preventing the modulo-by-zero crash.

prevent

Mandates timely application of the vendor patch (FreeRDP 3.24.0) that adds the missing zero-value check in libfreerdp/codec/dsp.c.

prevent

Requires mechanisms to protect against denial-of-service conditions triggered by malformed RDP audio PDUs on the RDPSND channel.

References