DEBIAN-CVE-2026-33977

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-33977
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33977.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-33977
Upstream
Published
2026-03-30T22:16:19.117Z
Modified
2026-05-16T14:00:25.595072084Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network and used to index into a 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort via SIGABRT. This affects any FreeRDP client that has audio redirection (RDPSND) enabled, which is the default configuration. This issue has been patched in version 3.24.2.

References

Affected packages

Debian:11 / freerdp2

Package

Name
freerdp2
Purl
pkg:deb/debian/freerdp2?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.0+dfsg1-2
2.3.0+dfsg1-2+deb11u1
2.3.0+dfsg1-2+deb11u2
2.3.0+dfsg1-2+deb11u3
2.4.1+dfsg1-1
2.5.0+dfsg1-1
2.6.0+dfsg1-1
2.6.1+dfsg1-1
2.6.1+dfsg1-2
2.6.1+dfsg1-3~bpo11+1
2.6.1+dfsg1-3
2.7.0+dfsg1-1~bpo11+1
2.7.0+dfsg1-1
2.8.0+dfsg1-1
2.8.1+dfsg1-1~bpo11+1
2.8.1+dfsg1-1
2.9.0+dfsg1-1~bpo11+1
2.9.0+dfsg1-1
2.10.0+dfsg1-1~bpo11+1
2.10.0+dfsg1-1
2.10.0+dfsg1-1.1
2.11.2+dfsg1-1
2.11.2+dfsg1-1.1~exp1
2.11.2+dfsg1-1.1~exp2
2.11.5+dfsg1-1
2.11.7+dfsg1-1
2.11.7+dfsg1-2
2.11.7+dfsg1-3
2.11.7+dfsg1-4
2.11.7+dfsg1-5
2.11.7+dfsg1-6~deb12u1
2.11.7+dfsg1-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33977.json"

Debian:12 / freerdp2

Package

Name
freerdp2
Purl
pkg:deb/debian/freerdp2?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.10.0+dfsg1-1
2.10.0+dfsg1-1.1
2.11.2+dfsg1-1
2.11.2+dfsg1-1.1~exp1
2.11.2+dfsg1-1.1~exp2
2.11.5+dfsg1-1
2.11.7+dfsg1-1
2.11.7+dfsg1-2
2.11.7+dfsg1-3
2.11.7+dfsg1-4
2.11.7+dfsg1-5
2.11.7+dfsg1-6~deb12u1
2.11.7+dfsg1-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33977.json"

Debian:13 / freerdp3

Package

Name
freerdp3
Purl
pkg:deb/debian/freerdp3?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.15.0+dfsg-2.1+deb13u2

Affected versions

3.*
3.15.0+dfsg-2.1
3.15.0+dfsg-2.1+deb13u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33977.json"

Debian:14 / freerdp3

Package

Name
freerdp3
Purl
pkg:deb/debian/freerdp3?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.24.2+dfsg-1

Affected versions

3.*
3.15.0+dfsg-2.1
3.16.0+dfsg-1
3.16.0+dfsg-2
3.17.0+dfsg-1
3.17.1+dfsg-1
3.17.1+dfsg-2
3.17.2+dfsg-1
3.17.2+dfsg-2
3.17.2+dfsg-3
3.18.0+dfsg-1
3.19.0+dfsg-1
3.19.1+dfsg-1
3.20.0+dfsg-1
3.20.2+dfsg-1
3.21.0+dfsg-1
3.22.0+dfsg-1~bpo13+0
3.22.0+dfsg-1~bpo13+1
3.22.0+dfsg-1
3.22.0+dfsg-3
3.23.0+dfsg-1~bpo13+1
3.23.0+dfsg-1
3.24.0+dfsg-1
3.24.0+dfsg-2
3.24.1+dfsg-1
3.24.2+dfsg-1~bpo13+1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33977.json"