Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Published: 2026-01-19
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

FreeRDP, prior to version 3.21.0, contains a use‑after‑free bug in the X11 graphics pointer handling code. When a client receives a pointer update that fails to allocate the pixel buffer, the code frees the buffer and then frees it again during pointer cleanup, which triggers an undefined behaviour and can lead to a crash or, depending on the heap allocator and layout, to heap corruption with potential code‑execution risk. The flaw is identified as CWE‑416 and exposes the client to denial‑of‑service or remote code execution if exploited. The vulnerability is triggered by a malicious RDP server sending crafted pointer data to a vulnerable client.

Affected Systems

FreeRDP clients running any version earlier than 3.21.0 are affected. The project’s release 3.21.0 includes a patch that removes the double free from the pointer handling path. Only the client component that uses X11 graphics is vulnerable; other platforms of FreeRDP are not impacted by this specific bug.

Risk and Exploitability

The CVSS score is 7.7, indicating high severity, while the EPSS score is below 1 percent, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need to control an RDP server that can send a specially crafted pointer packet to a vulnerable client, so the attack vector is remote server to client. If exploited, it could cause a crash and potentially allow arbitrary code execution depending on the client’s memory layout and allocator behaviour.

Generated by OpenCVE AI on April 18, 2026 at 05:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.21.0 or later, which removes the double free in the X11 pointer handling code.
  • If an upgrade is not immediately possible, disable the X11 pointer extension on the client or configure the client to refuse pointer updates to prevent the faulty cleanup logic from being triggered.
  • Block or restrict connections from untrusted or anonymous RDP servers until the client is patched or pointer handling is disabled.

Generated by OpenCVE AI on April 18, 2026 at 05:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Tue, 20 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

threat_severity

Important

Mon, 19 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Title Heap-use-after-free in update_pointer_new
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T15:30:10.352Z

Reserved: 2026-01-16T21:02:02.901Z

Link: CVE-2026-23883

cve-icon Vulnrichment

Updated: 2026-01-20T15:30:04.532Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T18:16:06.297

Modified: 2026-01-28T18:35:31.947

Link: CVE-2026-23883

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-19T17:15:55Z

Links: CVE-2026-23883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses