CVE-2026-33984

{"id": "CVE-2026-33984", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2026-03-30T22:16:19.567", "references": [{"url": "https://github.com/FreeRDP/FreeRDP/commit/dc7fdb165095139be779a4000199bc1706b06ad5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8469-2xcx-frf6", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-131"}]}], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2."}, {"lang": "es", "value": "FreeRDP es una implementaci\u00f3n gratuita del Protocolo de Escritorio Remoto. Antes de la versi\u00f3n 3.24.2, en resize_vbar_entry() en libfreerdp/codec/clear.c, vBarEntry-&gt;size se actualiza a vBarEntry-&gt;count antes de la llamada a winpr_aligned_recalloc(). Si realloc falla, size se infla mientras pixels a\u00fan apunta al b\u00fafer antiguo y m\u00e1s peque\u00f1o. En una llamada posterior donde count &lt;= size (el valor inflado), realloc se omite. El llamador luego escribe count * bpp bytes de datos de p\u00edxeles controlados por el atacante en el b\u00fafer de tama\u00f1o insuficiente, causando un desbordamiento de b\u00fafer de pila. Este problema ha sido parcheado en la versi\u00f3n 3.24.2."}], "lastModified": "2026-04-01T20:02:05.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03FF152C-C651-4586-8958-1555D9797516", "versionEndExcluding": "3.24.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}