CVE-2026-56297
Received Received - Intake

Use-After-Free in FreeRDP via DVC Channel Race Condition

Vulnerability report for CVE-2026-56297, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_receive due to improper synchronization of channel_callback access. A malicious RDP server can trigger a race condition by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, causing heap-use-after-free in the drdynvc client thread and potentially enabling remote code execution or denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
freerdp freerdp to 3.22.0 (exc)
freerdp freerdp to 3.21.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56297 is a use-after-free vulnerability in FreeRDP versions before 3.22.0 caused by a race condition in the dynamic virtual channel (DVC) client component.

The issue occurs due to improper synchronization of the channel_callback access in the functions dvcman_channel_close and dvcman_call_on_receive. A malicious RDP server can exploit this by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, triggering a heap-use-after-free in the drdynvc client thread.

This race condition allows the channel callback to be freed while still being accessed, which can lead to crashes or potentially remote code execution.

Impact Analysis

This vulnerability can impact you by allowing a malicious RDP server to cause a denial of service (DoS) by crashing the FreeRDP client through a heap-use-after-free error.

More severely, it could potentially enable remote code execution (RCE) on the client machine if exploited further, as attackers might manipulate memory structures (heap grooming and vtable manipulation) to execute arbitrary code.

All FreeRDP clients connecting to untrusted RDP servers are affected if they run versions before 3.22.0.

Detection Guidance

This vulnerability is a race condition causing a use-after-free in FreeRDP clients when connecting to malicious RDP servers. Detection involves monitoring for crashes or abnormal behavior in FreeRDP clients such as xfreerdp, wlfreerdp, or Remmina, especially SIGSEGV crashes indicating heap-use-after-free.

Since the issue is triggered by concurrent DYNVC_DATA and DYNVC_CLOSE messages from an RDP server, network detection could involve capturing and analyzing RDP traffic for these message patterns occurring simultaneously on the same channel.

There are no specific commands provided in the resources for direct detection, but general approaches include:

  • Use packet capture tools like tcpdump or Wireshark to monitor RDP traffic and filter for DYNVC_DATA and DYNVC_CLOSE messages sent concurrently.
  • Run FreeRDP clients with debugging or sanitizers (e.g., AddressSanitizer, ThreadSanitizer) to detect race conditions and use-after-free during testing.
  • Monitor system logs and application crash reports for segmentation faults or crashes related to FreeRDP.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The primary mitigation is to upgrade FreeRDP clients to version 3.22.0 or later, where the vulnerability has been fixed by properly synchronizing access to the channel_callback pointer.

If upgrading immediately is not possible, avoid connecting FreeRDP clients to untrusted or potentially malicious RDP servers, as the vulnerability is triggered by malicious server behavior.

Downstream maintainers should backport the fix involving nullifying the channel_callback pointer before invoking the OnClose callback to prevent the race condition.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56297. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart