CVE-2026-23883
Published: 19 January 2026
Summary
CVE-2026-23883 is a critical-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the UAF vulnerability by requiring identification, reporting, and timely patching of FreeRDP to version 3.21.0 or later.
Implements memory protections like ASLR and non-executable heap to prevent exploitation of the double-free UAF for heap corruption and code execution.
Enables vulnerability scanning to identify systems running vulnerable FreeRDP versions affected by this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Client-side UAF vulnerability in FreeRDP (RDP client) exploited by malicious RDP server via crafted pointer data, enabling remote code execution or DoS, directly mapping to Exploitation for Client Execution (T1203).
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free,…
more
causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Deeper analysisAI
CVE-2026-23883 is a use-after-free (UAF) vulnerability, classified under CWE-416, affecting FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), in versions prior to 3.21.0. The issue occurs in the client-side `xf_Pointer_New` function during pointer graphics handling, where `cursorPixels` is freed on failure, but `pointer_free` subsequently calls `xf_Pointer_Free` and frees it again, as detected by AddressSanitizer (ASan). This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high confidentiality, integrity, and availability impacts.
A malicious RDP server can exploit this vulnerability against clients using vulnerable FreeRDP versions by sending crafted pointer data during a connection. No user privileges or interaction are required, enabling remote attackers to trigger the client-side UAF. This results in a denial-of-service (DoS) via application crash, with potential for heap corruption and code execution depending on the allocator implementation and surrounding heap layout.
The FreeRDP security advisory (GHSA-qcrr-85qx-4p6x) and release notes for version 3.21.0 confirm a patch that resolves the double-free issue in the affected code paths, including changes in `xf_graphics.c` and `pointer.c`. Security practitioners should upgrade to FreeRDP 3.21.0 or later to mitigate the vulnerability.
Details
- CWE(s)