CVE-2026-23883

CVE-2026-23883 is a use-after-free (UAF) vulnerability, classified under CWE-416, affecting FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), in versions prior to 3.21.0. The issue occurs in the client-side `xf_Pointer_New` function during pointer graphics handling, where `cursorPixels` is freed on failure, but `pointer_free` subsequently calls `xf_Pointer_Free` and frees it again, as detected by AddressSanitizer (ASan). This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high confidentiality, integrity, and availability impacts.

A malicious RDP server can exploit this vulnerability against clients using vulnerable FreeRDP versions by sending crafted pointer data during a connection. No user privileges or interaction are required, enabling remote attackers to trigger the client-side UAF. This results in a denial-of-service (DoS) via application crash, with potential for heap corruption and code execution depending on the allocator implementation and surrounding heap layout.

The FreeRDP security advisory (GHSA-qcrr-85qx-4p6x) and release notes for version 3.21.0 confirm a patch that resolves the double-free issue in the affected code paths, including changes in `xf_graphics.c` and `pointer.c`. Security practitioners should upgrade to FreeRDP 3.21.0 or later to mitigate the vulnerability.