CVE-2026-31884
Published: 13 March 2026
Summary
CVE-2026-31884 is a medium-severity Divide By Zero (CWE-369) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Division-by-zero in FreeRDP client decoder (triggered by malicious RDPSND PDU from server) directly enables application crash, matching T1499.004 Endpoint Denial of Service via Application or System Exploitation.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size…
more
= context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
Deeper analysisAI
CVE-2026-31884 is a division-by-zero vulnerability in the MS-ADPCM and IMA-ADPCM decoders of FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.24.0. The issue occurs in libfreerdp/codec/dsp.c when processing audio data from the Server Audio Formats PDU on the RDPSND channel. Specifically, the decoders perform a modulo operation using block_size derived from the unvalidated nBlockAlign field; if nBlockAlign is 0, this triggers a SIGFPE (floating-point exception), resulting in a crash. The vulnerability is classified under CWE-369 (Divide by Zero) with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).
A remote attacker can exploit this vulnerability over the network by tricking a user into connecting a FreeRDP client to a malicious RDP server. The attacker sends a crafted Server Audio Formats PDU with nBlockAlign set to 0, which propagates without validation to the decoder. No privileges are required on the attacker's part, but user interaction is needed to initiate the RDP connection. Successful exploitation causes a denial-of-service via client crash, with no impact on confidentiality or integrity.
The FreeRDP security advisory (GHSA-jp7m-94ww-p56r) and related commits detail the fix in version 3.24.0, which adds validation to prevent zero values from reaching the decoder. Security practitioners should upgrade FreeRDP clients to 3.24.0 or later; patch details are available in commits 03b48b3601d867afccac1cdc6081de7a275edce7 and 16df2300e1e3f5a51f68fb1626429e58b531b7c8 on the FreeRDP GitHub repository.
Details
- CWE(s)