Summaryinfo

A vulnerability categorized as critical has been discovered in FreeRDP up to 3.24.1. Affected by this issue is the function winpr_aligned_offset_recalloc. Such manipulation leads to out-of-bounds. This vulnerability is listed as CVE-2026-33982. The attack must be carried out locally. There is no available exploit. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in FreeRDP up to 3.24.1. Affected by this issue is the function winpr_aligned_offset_recalloc. The manipulation with an unknown input leads to a out-of-bounds vulnerability. Using CWE to declare the problem leads to CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_recalloc(). This issue has been patched in version 3.24.2.

The advisory is available at github.com. This vulnerability is handled as CVE-2026-33982 since 03/24/2026. The exploitation is known to be easy. Local access is required to approach this attack. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit.

Upgrading to version 3.24.2 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-17225). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Remote Access Software

Name

• FreeRDP

Version

• 3.24.0
• 3.24.1

License

• open-source

Website

• Product: https://github.com/FreeRDP/FreeRDP/

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion