CVE-2026-23883
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk32th percentile - higher than 32% of all known CVEs
Summary
In FreeRDP prior to version 3.21.0, the `xf_Pointer_New` function frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering a use-after-free (UAF) detected by ASan. A malicious server can trigger this client-side vulnerability, causing a crash (DoS) and potential heap corruption that may lead to code execution depending on the allocator behavior and heap layout.
Risk Assessment
The risk includes remote denial of service (DoS) of the FreeRDP client and, under favorable conditions, potential arbitrary code execution on the client machine through heap manipulation.
Recommendation
Immediately upgrade FreeRDP to version 3.21.0 or later, which includes a fix for the double-free vulnerability.
Original NVD description (English source)
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

