NIXPKGS-2026-0886

GitHub issue published on 31 Mar 2026

Permalink CVE-2026-33952

updated 15 hours ago by @mweinelt Activity log

Created automatic suggestion 1 day ago
@mweinelt accepted 16 hours ago
@mweinelt published on GitHub 15 hours ago

FreeRDP: DoS via WINPR_ASSERT in rts_read_auth_verifier_no_checks

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash with SIGABRT. This is a pre-authentication denial of service affecting all FreeRDP clients using RPC-over-HTTP gateway transport. The assertion is active in default release builds (WITH_VERBOSE_WINPR_ASSERT=ON). This issue has been patched in version 3.24.2.

References

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4v4p-9v5x-hc93 x_refsource_CONFIRM
https://github.com/FreeRDP/FreeRDP/commit/4ac0b6467d371a1ad47c1f751c5b305e4c068adb x_refsource_MISC

Affected products

FreeRDP

==< 3.24.2

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.24.1
- nixpkgs-unstable 3.24.1
- nixos-unstable-small 3.24.2
nixos-25.11 3.23.0
- nixos-25.11-small 3.23.0
- nixpkgs-25.11-darwin 3.23.0

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4v4p-9v5x-hc93

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0886

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers