CVE-2026-33984
HIGHFreeRDP: ClearCodec resize_vbar_entry() Heap OOB Write
Title source: cnaDescription
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8469-2xcx-frf6
X_Refsource_Misc x_refsource_misc
https://github.com/FreeRDP/FreeRDP/commit/dc7fdb165095139be779a4000199bc1706b06ad5
Scores
CVSS v3
7.5
EPSS
0.0024
EPSS Percentile
15.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-122
CWE-131
Status
published
Products (2)
freerdp/freerdp
< 3.24.2
FreeRDP/FreeRDP
< 3.24.2
Published
Mar 30, 2026
Tracked Since
Mar 31, 2026