Cyber Resilience

CVE-2026-31885

MediumPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0026 17.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-31885 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Freerdp Freerdp. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31885 is an out-of-bounds read vulnerability (CWE-125) in the MS-ADPCM and IMA-ADPCM decoders of FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). Versions prior to 3.24.0 are affected due to unchecked predictor and step_index values derived from untrusted input data. The issue was published on 2026-03-13 and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact potential.

A remote attacker can exploit this vulnerability over the network with low complexity and no privileges required, but it necessitates user interaction, such as opening a malicious RDP file or connecting to a crafted RDP server using a vulnerable FreeRDP client. Successful exploitation triggers the out-of-bounds read, potentially allowing disclosure of sensitive information from process memory, though it does not affect integrity or availability.

The FreeRDP security advisory (GHSA-h23r-3988-3wf3) and associated commit (16df2300e1e3f5a51f68fb1626429e58b531b7c8) confirm the vulnerability is fixed in version 3.24.0, recommending immediate upgrades to patched releases for mitigation. No workarounds are specified beyond updating.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

OOB read in FreeRDP client decoder enables memory disclosure from process space when connecting to malicious RDP server or opening crafted RDP file; directly maps to exploitation for credential access via sensitive data leakage.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25942Same product: Freerdp Freerdp
CVE-2026-33982Same product: Freerdp Freerdp
CVE-2026-31897Same product: Freerdp Freerdp
CVE-2026-22855Same product: Freerdp Freerdp
CVE-2026-22859Same product: Freerdp Freerdp
CVE-2026-25941Same product: Freerdp Freerdp
CVE-2026-22858Same product: Freerdp Freerdp
CVE-2026-33985Same product: Freerdp Freerdp
CVE-2026-29775Same product: Freerdp Freerdp
CVE-2026-24677Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that corrects the unchecked predictor/step_index values in the ADPCM decoders.

prevent

Mandates validation of untrusted input data, which would have rejected the out-of-range predictor and step_index values that trigger the out-of-bounds read.

preventdetect

Requires malicious-code protection mechanisms that can inspect or sandbox RDP content before it reaches the vulnerable ADPCM decoders.

References