9.8
CVE-2026-23883
- EPSS 0.4%
- Veröffentlicht 19.01.2026 17:15:55
- Zuletzt bearbeitet 30.06.2026 03:17:34
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Heap-use-after-free in update_pointer_new
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.4% | 0.32 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.6 | 2.8 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L312-L319
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L340
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/pointer.c#L164-L174
https://access.redhat.com/errata/RHSA-2026:2048
https://access.redhat.com/errata/RHSA-2026:2081
https://access.redhat.com/errata/RHSA-2026:2222
https://access.redhat.com/errata/RHSA-2026:2736
https://access.redhat.com/errata/RHSA-2026:2770
https://access.redhat.com/errata/RHSA-2026:2824
https://access.redhat.com/errata/RHSA-2026:2952
https://access.redhat.com/errata/RHSA-2026:3037
https://access.redhat.com/security/cve/CVE-2026-23883
https://bugzilla.redhat.com/show_bug.cgi?id=2430885
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23883.json