CVE Catalog

CVE-2026-23883

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile - higher than 32% of all known CVEs

Summary

In FreeRDP prior to version 3.21.0, the `xf_Pointer_New` function frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering a use-after-free (UAF) detected by ASan. A malicious server can trigger this client-side vulnerability, causing a crash (DoS) and potential heap corruption that may lead to code execution depending on the allocator behavior and heap layout.

Risk Assessment

The risk includes remote denial of service (DoS) of the FreeRDP client and, under favorable conditions, potential arbitrary code execution on the client machine through heap manipulation.

Recommendation

Immediately upgrade FreeRDP to version 3.21.0 or later, which includes a fix for the double-free vulnerability.

Original NVD description (English source)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS