Reachable Assertion Affecting freerdp/freerdp package, versions [,3.24.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-FREERDPFREERDP-15857129
- published31 Mar 2026
- disclosed31 Mar 2026
- creditSebasteuo
Introduced: 31 Mar 2026
NewCVE-2026-33952 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade freerdp/freerdp to version 3.24.2 or higher.
Overview
Affected versions of this package are vulnerable to Reachable Assertion in the rts_read_auth_verifier_no_checks process when an unvalidated auth_length field is read from the network, leading to a WINPR_ASSERT() failure. An attacker can cause connected clients to crash by sending specially crafted data through a malicious RDP Gateway. This is only exploitable if the assertion is active in default release builds with WITH_VERBOSE_WINPR_ASSERT=ON and the client is using RPC-over-HTTP gateway transport.