{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-33986","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-24T22:20:06.211Z","datePublished":"2026-03-30T21:43:21.951Z","dateUpdated":"2026-06-30T12:09:18.549Z"},"containers":{"cna":{"title":"FreeRDP: H.264 YUV Buffer Dimension Desync - Heap OOB Write","problemTypes":[{"descriptions":[{"cweId":"CWE-122","lang":"en","description":"CWE-122: Heap-based Buffer Overflow","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-131","lang":"en","description":"CWE-131: Incorrect Calculation of Buffer Size","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97","tags":["x_refsource_CONFIRM"],"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97"},{"name":"https://github.com/FreeRDP/FreeRDP/commit/f6e43e208958140074ae9bb93cd0c9045a371c77","tags":["x_refsource_MISC"],"url":"https://github.com/FreeRDP/FreeRDP/commit/f6e43e208958140074ae9bb93cd0c9045a371c77"}],"affected":[{"vendor":"FreeRDP","product":"FreeRDP","versions":[{"version":"< 3.24.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-30T21:43:21.951Z"},"descriptions":[{"lang":"en","value":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264->width and h264->height are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2."}],"source":{"advisory":"GHSA-h6qw-wxvm-hf97","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-31T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-33986"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-01T03:55:16.088Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"}],"datePublic":"2026-03-30T21:43:21.951Z","descriptions":[{"lang":"en","value":"A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol. A remote attacker could exploit a memory allocation vulnerability in the H.264 codec by enticing a user to connect to a malicious server. This flaw occurs when internal buffer dimensions are incorrectly updated after a failed memory reallocation, potentially leading to a heap-based buffer overflow. Successful exploitation could result in arbitrary code execution or a denial of service (DoS), compromising the availability, integrity, and confidentiality of the affected system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-131","description":"Incorrect Calculation of Buffer Size","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-33986"},{"name":"RHBZ#2453221","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453221"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33986.json"}],"timeline":[{"lang":"en","time":"2026-03-30T22:01:33.630Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-30T21:43:21.951Z","value":"Made public."}],"title":"FreeRDP: FreeRDP: Arbitrary code execution or denial of service via H.264 codec memory allocation vulnerability","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:09:18.549Z"}}]}}