CVE-2026-33984
Published: 30 March 2026
Summary
CVE-2026-33984 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the specific heap buffer overflow vulnerability in FreeRDP versions prior to 3.24.2 to eliminate the flaw.
Implements memory safeguards like ASLR, DEP, and heap protections that block exploitation of the heap buffer overflow even if unpatched.
Requires secure error handling for memory reallocation failures to avoid inflated size states with undersized buffers leading to overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in FreeRDP client enables arbitrary code execution when victim connects to malicious RDP server, directly mapping to client-side exploitation.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old,…
more
smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
Deeper analysisAI
CVE-2026-33984 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). The issue affects versions prior to 3.24.2 and resides in the resize_vbar_entry() function within libfreerdp/codec/clear.c. Specifically, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call; if the reallocation fails, the size remains inflated while the pixels pointer still references the original smaller buffer. In a follow-up call where count is less than or equal to the inflated size, reallocation is skipped, allowing the caller to write count * bpp bytes of attacker-controlled pixel data into the undersized buffer.
A remote attacker with no privileges can exploit this vulnerability over the network, though it requires high attack complexity and user interaction, such as tricking a user into connecting to a malicious RDP server. Successful exploitation leads to high-impact consequences, including arbitrary code execution, data corruption, or denial of service via the heap buffer overflow, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-131 (Incorrect Calculation of Buffer Size).
The vulnerability has been patched in FreeRDP version 3.24.2. Security practitioners should update to this version or later. Additional details are available in the FreeRDP security advisory (GHSA-8469-2xcx-frf6) and the patching commit (dc7fdb165095139be779a4000199bc1706b06ad5) on the project's GitHub repository.
Details
- CWE(s)