Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.
Published: 2026-01-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free leading to arbitrary code execution
Action: Patch
AI Analysis

Impact

The bug arises from a race condition between the RDPGFX dynamic virtual channel thread and the SDL rendering thread in FreeRDP. During a ResetGraphics operation the SDL surface sdl->primary is freed and the freed pointer is later dereferenced, resulting in a heap use‑after‑free. This flaw can corrupt memory and may allow an attacker to cause program crashes or, in the worst case, execute arbitrary code.

Affected Systems

The vulnerability exists in all releases of FreeRDP prior to version 3.20.1. Users running older versions of the FreeRDP client are susceptible. The affected component is the SDL client (sdl->primary) used for rendering RDP desktops.

Risk and Exploitability

The CVSS score of 6.9 classifies the weakness as moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at the current time, and the flaw is not listed in the CISA KEV catalog. It is most likely triggered through a remote RDP session that exercises the ResetGraphics routine, though the exact attack vector is inferred from the description. Given the modest CVSS rating and low EPSS probability, the overall risk remains moderate but tangible if an attacker can leverage the race condition.

Generated by OpenCVE AI on April 18, 2026 at 06:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FreeRDP to version 3.20.1 or later, where the race condition has been fixed.
  • If an upgrade is not immediately possible, consider disabling SDL rendering or unsupported graphics modes that rely on sdl->primary.
  • Apply internal controls to limit graphic channel usage in remote sessions and monitor for unexpected crashes or memory errors.

Generated by OpenCVE AI on April 18, 2026 at 06:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 15 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.
Title FreeRDP RDPGFX ResetGraphics race leads to use-after-free in SDL client (sdl->primary)
Weaknesses CWE-362
CWE-416
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T21:03:36.764Z

Reserved: 2026-01-12T16:20:16.745Z

Link: CVE-2026-22851

cve-icon Vulnrichment

Updated: 2026-01-14T21:03:33.744Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T18:16:42.490

Modified: 2026-01-20T18:43:31.587

Link: CVE-2026-22851

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-14T17:43:28Z

Links: CVE-2026-22851 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses