CVE-2026-33984

/* * PoC Concept for CVE-2026-33984 * Demonstrating the logic flaw in resize_vbar_entry */ #include <stdio.h> #include <stdlib.h> #include <string.h> typedef struct { size_t size; size_t count; char *pixels; } BarEntry; // Simulating the vulnerable logic void vulnerable_resize(BarEntry *entry, size_t new_count) { if (new_count > entry->size) { // VULNERABILITY: size updated before reallocation entry->size = new_count; // Simulate allocation failure char *new_pixels = (char *)realloc(entry->pixels, new_count); if (!new_pixels) { printf("Reallocation failed, but size is already updated!\n"); return; // Returns with inflated size and old pointer } entry->pixels = new_pixels; } } int main() { BarEntry entry = {0}; entry.pixels = (char *)malloc(10); entry.size = 10; printf("Initial size: %zu\n", entry.size); // Trigger the vulnerable path with a request that forces a realloc failure scenario // In a real exploit, this would be triggered by specific RDP stream data vulnerable_resize(&entry, 1000); printf("Size after failed realloc: %zu\n", entry.size); printf("Buffer pointer: %p\n", (void*)entry.pixels); // Next call skips realloc because 500 <= 1000 (inflated size) vulnerable_resize(&entry, 500); // Overflow happens here writing 500 bytes to a 10-byte buffer memset(entry.pixels, 'A', 500); return 0; }

{"cve": {"id": "CVE-2026-33984", "sourceIdentifier": "[email protected]", "published": "2026-03-30T22:16:19.567", "lastModified": "2026-04-01T20:02:05.927", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2."}, {"lang": "es", "value": "FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.24.2, en resize_vbar_entry() en libfreerdp/codec/clear.c, vBarEntry-&gt;size se actualiza a vBarEntry-&gt;count antes de la llamada a winpr_aligned_recalloc(). Si realloc falla, size se infla mientras pixels aún apunta al búfer antiguo y más pequeño. En una llamada posterior donde count &lt;= size (el valor inflado), realloc se omite. El llamador luego escribe count * bpp bytes de datos de píxeles controlados por el atacante en el búfer de tamaño insuficiente, causando un desbordamiento de búfer de pila. Este problema ha sido parcheado en la versión 3.24.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-131"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.24.2", "matchCriteriaId": "03FF152C-C651-4586-8958-1555D9797516"}]}]}], "references": [{"url": "https://github.com/FreeRDP/FreeRDP/commit/dc7fdb165095139be779a4000199bc1706b06ad5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8469-2xcx-frf6", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}