2447386 – (CVE-2026-31883) CVE-2026-31883 freerdp: FreeRDP has a `size_t` underflow in ADPCM decoder leads to heap-buffer-overflow write

Bug 2447386 (CVE-2026-31883) - CVE-2026-31883 freerdp: FreeRDP has a `size_t` underflow in ADPCM decoder leads to heap-buffer-overflow write

Summary: CVE-2026-31883 freerdp: FreeRDP has a `size_t` underflow in ADPCM decoder lea...

Keywords:
Status:	NEW
Alias:	CVE-2026-31883
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2447411 2447412 2447413
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-13 18:04 UTC by OSIDB Bzimport
Modified:	2026-03-13 19:44 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-13 18:04:24 UTC

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.

Note You need to log in before you can comment on or make changes to this bug.