{"id":"CVE-2026-33986","summary":"FreeRDP: H.264 YUV Buffer Dimension Desync - Heap OOB Write","details":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c, h264-\u003ewidth and h264-\u003eheight are updated before the reallocation loop. If any winpr_aligned_recalloc() call fails, the function returns FALSE but width/height are already inflated. This issue has been patched in version 3.24.2.","aliases":["GHSA-h6qw-wxvm-hf97"],"modified":"2026-05-30T06:55:56.603995Z","published":"2026-03-30T21:43:21.951Z","related":["SUSE-SU-2026:21436-1","openSUSE-SU-2026:10633-1","openSUSE-SU-2026:20657-1"],"database_specific":{"cwe_ids":["CWE-122","CWE-131"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33986.json","cna_assigner":"GitHub_M","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"3.24.2"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33986.json"},{"type":"ADVISORY","url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33986"},{"type":"FIX","url":"https://github.com/FreeRDP/FreeRDP/commit/f6e43e208958140074ae9bb93cd0c9045a371c77"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freerdp/freerdp","events":[{"introduced":"0"},{"fixed":"f6e43e208958140074ae9bb93cd0c9045a371c77"}],"database_specific":{"source":"REFERENCES"}}],"versions":["3.5.1","3.5.0","3.4.0","3.3.0","3.2.0","3.1.0","3.0.0","3.0.0-rc0","3.0.0-beta4","3.0.0-beta3","3.0.0-beta2","3.0.0-beta1","2.0.0","2.0.0-rc4","2.0.0-rc3","2.0.0-rc2","2.0.0-rc1","2.0.0-rc0","2.0.0-beta1+android11","2.0.0-beta1+android10","1.2.0-beta1+android9","1.2.0-beta1+android7","1.1.0-beta+2013071101","1.1.0-beta1+ios4","1.1.0-beta1+android5","1.1.0-beta1+android4","1.1.0-beta1+ios3","1.1.0-beta1+ios2","1.1.0-beta1+android3","1.1.0-beta1+android2","1.1.0-beta1+ios1","1.1.0-beta1","1.0.1","1.0.0","1.0-beta5","1.0-beta4","1.0-beta2","1.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33986.json","vanir_signatures_modified":"2026-05-30T06:55:56Z","vanir_signatures":[{"id":"CVE-2026-33986-2d3fb466","digest":{"length":1322,"function_hash":"172850258780086269431260710151986143315"},"target":{"function":"yuv_ensure_buffer","file":"libfreerdp/codec/h264.c"},"deprecated":false,"source":"https://github.com/freerdp/freerdp/commit/f6e43e208958140074ae9bb93cd0c9045a371c77","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2026-33986-440bd98d","digest":{"line_hashes":["74394165335505443325400846450578214993","57000031411417770646776585790722478912","61809315941507778020543086733847748815","12234297497225349781847023638155668651","284571293220291470971549570489460076496","243274070205429467887542360603720301941","252665451964816204409499113154037703003","240522512309630831697827857464120036961","63023319149774050960125992398873200987"],"threshold":0.9},"target":{"file":"libfreerdp/codec/h264.c"},"deprecated":false,"source":"https://github.com/freerdp/freerdp/commit/f6e43e208958140074ae9bb93cd0c9045a371c77","signature_version":"v1","signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}