CVE-2026-23884

CriticalPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

28 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free,…

causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free vulnerability by requiring timely patching of FreeRDP to version 3.21.0 or later.

SI-16 Memory Protection good match

prevent

Provides memory protection mechanisms that specifically address use-after-free errors, mitigating heap corruption and potential code execution from offscreen bitmap processing.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables identification of vulnerable FreeRDP versions through vulnerability scanning, facilitating remediation before exploitation by malicious RDP servers.

Security SummaryAI

CVE-2026-23884 is a use-after-free (UAF) vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). In versions prior to 3.21.0, the offscreen bitmap deletion logic in the cache module improperly leaves a pointer (`gdi->drawing`) dangling to freed memory. Subsequent arrival of related update packets triggers the UAF during client-side processing, as detailed in the affected code at libfreerdp/cache/offscreen.c lines 114-122 and 87-91.

A remote attacker controlling a malicious RDP server can exploit this against FreeRDP clients connecting to it over the network, with no privileges, user interaction, or special conditions required (CVSS 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation reliably causes a client crash for denial-of-service (DoS), and may enable heap corruption leading to arbitrary code execution depending on the memory allocator's behavior and heap layout at the time.

The FreeRDP security advisory (GHSA-cfgj-vc84-f3pp) and release notes for version 3.21.0 confirm a patch addressing the dangling pointer issue. Security practitioners should upgrade FreeRDP clients to 3.21.0 or later and audit deployments for vulnerable versions.

Details

CWE(s): CWE-416

Affected Products

freerdp

≤ 3.21.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

UAF in FreeRDP client exploited by malicious RDP server enables remote code execution (T1203) via heap corruption and reliable client crash for DoS (T1499.004) with no user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91
Product · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
Release Notes · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp
Vendor Advisory, Exploit · security-advisories@github.com