CVE-2026-23884
Unknown Unknown - Not Provided
Use-After-Free in FreeRDP Offscreen Bitmap Causes DoS, Code Execution

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-05-07
AI Q&A
2026-01-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23884
EUVD
EUVD-2026-3310
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freerdp freerdp to 3.21.0 (exc)
freerdp freerdp 3.20.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-23884 is a heap-use-after-free vulnerability in FreeRDP versions prior to 3.21.0. It occurs because when an offscreen bitmap is deleted, a pointer (gdi->drawing) still references the freed memory. Later, when the program tries to use this pointer during graphical updates, it accesses invalid memory, causing a use-after-free condition. This can lead to a client crash (denial of service) and potentially heap corruption or remote code execution depending on memory allocator behavior and heap layout. [2]


How can this vulnerability impact me? :

This vulnerability can be exploited by a malicious RDP server to cause the FreeRDP client to crash, resulting in a denial of service. Additionally, it may lead to heap corruption and potentially allow remote code execution on the client machine, depending on the memory allocator and heap layout. This means an attacker could take control of the affected system or disrupt its normal operation. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves monitoring FreeRDP client crashes or abnormal behavior when connecting to RDP servers, especially if the client version is prior to 3.21.0. Since the vulnerability is triggered by malicious RDP servers sending crafted update packets, network detection could involve inspecting RDP traffic for suspicious or malformed CREATE_OFFSCREEN_BITMAP orders or update packets with ORDER_BOUNDS. However, no specific detection commands are provided in the resources. Using AddressSanitizer (ASan) during FreeRDP client runtime can help detect use-after-free errors in gdi_set_bounds (line 569 in gdi.c). [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade FreeRDP to version 3.21.0 or later, where the vulnerability has been patched. Avoid connecting to untrusted or potentially malicious RDP servers until the update is applied. There are no other specific mitigation commands or workarounds mentioned. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart