Bug 2453224 (CVE-2026-33977)

Summary: CVE-2026-33977 FreeRDP: FreeRDP: Denial of Service via malformed IMA ADPCM audio data
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). A malicious RDP server can exploit this vulnerability by sending specially crafted audio data in IMA ADPCM format with an invalid initial step index value. This unvalidated input can cause the FreeRDP client to crash, leading to a Denial of Service (DoS) for affected users. This issue impacts FreeRDP clients with audio redirection (RDPSND) enabled, which is the default configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2453254, 2453256, 2453255    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-30 22:02:11 UTC 
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort via SIGABRT. This affects any FreeRDP client that has audio redirection (RDPSND) enabled, which is the default configuration. This issue has been patched in version 3.24.2.