9.8
CVE-2026-23884
- EPSS 0.4%
- Veröffentlicht 19.01.2026 17:20:40
- Zuletzt bearbeitet 30.06.2026 03:17:35
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Heap-use-after-free in gdi_set_bounds
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.4% | 0.32 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.6 | 2.8 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91
https://access.redhat.com/errata/RHSA-2026:2048
https://access.redhat.com/errata/RHSA-2026:2081
https://access.redhat.com/errata/RHSA-2026:2222
https://access.redhat.com/errata/RHSA-2026:2714
https://access.redhat.com/errata/RHSA-2026:2736
https://access.redhat.com/errata/RHSA-2026:2770
https://access.redhat.com/errata/RHSA-2026:2824
https://access.redhat.com/errata/RHSA-2026:2952
https://access.redhat.com/errata/RHSA-2026:3036
https://access.redhat.com/errata/RHSA-2026:3037
https://access.redhat.com/errata/RHSA-2026:3038
https://access.redhat.com/errata/RHSA-2026:3039
https://access.redhat.com/errata/RHSA-2026:3041
https://access.redhat.com/security/cve/CVE-2026-23884
https://bugzilla.redhat.com/show_bug.cgi?id=2430880
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23884.json