CVE-2026-23884 - Vulnerability Details

- Heap-use-after-free in gdi_set_bounds

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Published: 2026-01-19

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

FreeRDP clients prior to version 3.21.0 contain a heap‑use‑after‑free flaw in the offscreen bitmap deletion routine. When a client receives an update packet after a bitmap has been freed, the library continues to reference the stale pointer, causing a crash. Depending on the libc allocator behavior and surrounding heap layout, this scenario could drive heap corruption and lead to arbitrary code execution on the client system.

Affected Systems

The vulnerability affects the FreeRDP project on all installations built with versions earlier than 3.21.0. Users running 3.21.0 or later are not impacted because the patch was applied in that release.

Risk and Exploitability

The flaw receives a CVSS base score of 7.7 and an EPSS value below 1 % at the time of analysis, indicating a low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. The attack surface requires a malicious RDP server to send specially crafted update packets after an offscreen bitmap has been freed; this condition is inferred from the description. Due to the far‑thest reachable remote code execution risk, timely remediation is advised.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeRDP

affected

Version	Status	Constraints
`< 3.21.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Freerdp	Freerdp	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to FreeRDP 3.21.0 or newer.
If upgrade is delayed, disable offscreen bitmap caching in the client configuration to avoid the freed pointer usage.
Monitor RDP sessions for abnormal crashes and verify the latest client version is in use.

Generated by OpenCVE AI on April 18, 2026 at 05:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00177.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp
https://nvd.nist.gov/vuln/detail/CVE-2026-23884
https://www.cve.org/CVERecord?id=CVE-2026-23884

History

Wed, 28 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:freerdp:freerdp::::::::
Metrics	cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 20 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freerdp Freerdp freerdp
Vendors & Products		Freerdp Freerdp freerdp

Tue, 20 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-23884 https://www.cve.org/CVERecord?id=CVE-2026-23884
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}` threat_severity `Important`

Mon, 19 Jan 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Title		Heap-use-after-free in gdi_set_bounds
Weaknesses		CWE-416
References		https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp
Metrics		cvssV4_0 `{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Freerdp Freerdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-19T17:20:40.149Z

Updated: 2026-01-20T15:25:49.504Z

Reserved: 2026-01-16T21:02:02.901Z

Link: CVE-2026-23884

Vulnrichment

Updated: 2026-01-20T15:25:46.828Z

NVD

Status : Analyzed

Published: 2026-01-19T18:16:06.430

Modified: 2026-01-28T18:31:29.960

Link: CVE-2026-23884

Redhat

Severity : Important

Publid Date: 2026-01-19T17:20:40Z

Links: CVE-2026-23884 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object