Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap-use-after-free leading to memory corruption
Action: Apply Patch
AI Analysis

Impact

FreeRDP has a heap‑use‑after‑free flaw in the SDL2 implementation of the update_pointer_new routine. The bug occurs because a pointer is freed without being nulled, so the freed memory can later be dereferenced. This flaw, identified as CWE‑416 and CWE‑825, can lead to memory corruption or application crashes. Based on the description, it is inferred that the likely attack vector is local exploitation of the client application, such as an attacker supplying malicious pointer data or triggering the update through a user interface action.

Affected Systems

The vulnerability affects all FreeRDP versions prior to 3.23.0 that use the SDL2 code path. Any client or server installation running a pre‑3.23.0 FreeRDP binary with SDL2 enabled is at risk. Builds that use the newer SDL3 path are not subject to the flaw.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation would require the attacker to cause the vulnerable application to dereference the freed pointer, likely by manipulating pointer data or triggering a specific UI action within a locally running client. Because the flaw resides in client‑side code, remote exploitation via the network is not clearly supported, making local privilege escalation or denial of service the most probable impacts.

Generated by OpenCVE AI on April 18, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.23.0 or later to apply the complete heap‑use‑after‑free fix
  • If SDL2 must be used and upgrading is not viable, apply a manual patch that nulls the pointer after free in the SDL2 code
  • Monitor for unexpected crashes or memory corruption and alert administrators

Generated by OpenCVE AI on April 18, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Wed, 25 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.
Title FreeRDP heap-use-after-free in update_pointer_new(SDL): Fix Applied in the Wrong File
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:38:07.068Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27950

cve-icon Vulnrichment

Updated: 2026-02-26T20:38:01.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:27.297

Modified: 2026-02-27T19:10:21.367

Link: CVE-2026-27950

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T21:05:23Z

Links: CVE-2026-27950 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses