CVE-2026-33986
Published: 30 March 2026
Summary
CVE-2026-33986 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the specific flaw in FreeRDP's H.264 decoder via patching to version 3.24.2, eliminating the memory corruption risk.
Implements memory protection mechanisms like ASLR and DEP that mitigate exploitation of the heap-based buffer overflow resulting from inflated dimensions after failed reallocation.
Ensures secure error handling during reallocation failures, preventing the inconsistent state where dimensions are inflated without corresponding buffer adjustments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a client-side heap buffer overflow in FreeRDP (RDP client) triggered by a malicious server during H.264 decoding, directly enabling remote code execution on the victim system via exploitation of a client application vulnerability.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already…
more
inflated. This issue has been patched in version 3.24.2.
Deeper analysisAI
CVE-2026-33986 affects FreeRDP, a free implementation of the Remote Desktop Protocol, in versions prior to 3.24.2. The vulnerability is in the yuv_ensure_buffer() function within libfreerdp/codec/h264.c, where the h264->width and h264->height fields are updated before a reallocation loop involving winpr_aligned_recalloc() calls. If any reallocation fails, the function returns FALSE while leaving the dimensions inflated, potentially leading to memory corruption. This issue maps to CWE-122 (Heap-based Buffer Overflow) and CWE-131 (Incorrect Calculation of Buffer Size), with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), published on 2026-03-30.
The vulnerability can be exploited remotely over the network by an unauthenticated attacker requiring high attack complexity and user interaction. A victim must connect via FreeRDP to a malicious RDP server that triggers the faulty H.264 decoding path, causing the inflated dimensions to mismanage buffers upon reallocation failure and enabling arbitrary code execution or denial of service with high impacts to confidentiality, integrity, and availability.
FreeRDP version 3.24.2 patches this issue. Mitigation details are provided in the GitHub commit at https://github.com/FreeRDP/FreeRDP/commit/f6e43e208958140074ae9bb93cd0c9045a371c77 and the security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97.
Details
- CWE(s)