CVE-2026-33987
Published: 30 March 2026
Summary
CVE-2026-33987 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the heap-based buffer overflow flaw in FreeRDP's persistent_cache_read_entry_v3() by applying the patch released in version 3.24.2.
Implements memory protection techniques such as ASLR and DEP to prevent exploitation of the heap buffer overflow and subsequent memory corruption.
Requires secure error handling for memory reallocation failures to avoid updating buffer sizes prematurely and leaving inconsistent states exploitable for corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in FreeRDP client library (persistent cache handling) enables arbitrary code execution via crafted input to the vulnerable client application, directly mapping to T1203 Exploitation for Client Execution.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been…
more
patched in version 3.24.2.
Deeper analysisAI
CVE-2026-33987 affects FreeRDP, a free implementation of the Remote Desktop Protocol, in versions prior to 3.24.2. The vulnerability resides in the persistent_cache_read_entry_v3() function within libfreerdp/cache/persistent.c, where persistent->bmpSize is updated before the winpr_aligned_recalloc() call. If the reallocation fails, bmpSize becomes inflated while bmpData continues to point to the old buffer, potentially leading to memory corruption. It is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-131 (Incorrect Calculation of Buffer Size), with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
A local attacker with no privileges required can exploit this vulnerability, though it demands low attack complexity and user interaction. Exploitation could result in high-impact integrity violations, such as data tampering, and high-impact availability disruptions, like application crashes or denial of service, without affecting confidentiality.
The vulnerability has been addressed in FreeRDP version 3.24.2. Mitigation details are provided in the patch commit at https://github.com/FreeRDP/FreeRDP/commit/1a890eb43492b5eb707cb3dd6fc908f696e8fc1c and the GitHub security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc.
Details
- CWE(s)