{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-30T21:42:11Z",
  "bugzilla" : {
    "description" : "FreeRDP: FreeRDP: Information disclosure and denial of service via heap-buffer-overflow read",
    "id" : "2453218",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2453218"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_recalloc(). This issue has been patched in version 3.24.2.", "A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol. This vulnerability, a heap-buffer-overflow read, exists in the `winpr_aligned_offset_recalloc()` function. A local attacker could exploit this flaw, with user interaction, to read sensitive information from memory, leading to information disclosure, or cause the application to crash, resulting in a denial of service." ],
  "statement" : "Red Hat systems require user authentication in order to interact with FreeRDP binaries. Unauthenticated interaction is not possible in default configurations and so the risk posed by this flaw is slightly mitigated to Red hat customers.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16014",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "freerdp-2:3.10.3-5.el10_1.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19142",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "freerdp-2:3.10.3-12.el10_2.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-05-26T00:00:00Z",
    "advisory" : "RHSA-2026:20605",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "freerdp-2:3.10.3-3.el10_0.7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "freerdp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "freerdp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "freerdp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "freerdp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33982\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33982\nhttps://github.com/FreeRDP/FreeRDP/commit/a48dbde2c8a5b8b70a9d1c045d969a71afd6284c\nhttps://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jm9-2925-g4v2" ],
  "name" : "CVE-2026-33982",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}