Division by Zero Vulnerability in FreeRDP Remote Desktop Protocol Implementation
CVE-2026-31884

6.5MEDIUM

Key Information:

Vendor

Freerdp

Status
Freerdp
Vendor
CVE Published:
13 March 2026

What is CVE-2026-31884?

The FreeRDP project, an open-source implementation of the Remote Desktop Protocol, has a significant vulnerability that arises from improper validation of the nBlockAlign parameter in its audio decoders. Specifically, prior to version 3.24.0, the MS-ADPCM and IMA-ADPCM decoders do not check if the nBlockAlign value is zero. This oversight enables a division by zero condition, leading to a SIGFPE (floating point exception) crash when processing audio data. This vulnerability can affect system stability and performance, particularly when utilizing the RDPSND channel for audio functionality. Users are strongly urged to upgrade to version 3.24.0 or later to mitigate this issue.

Affected Version(s)

FreeRDP < 3.24.0

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/commit/03b48b3601d867a...
x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.