Cyber Resilience

CVE-2026-23884

HighPublic PoCUpdated

Published: 19 January 2026

Published
19 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23884 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23884 is a use-after-free (UAF) vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). In versions prior to 3.21.0, the offscreen bitmap deletion logic in the cache module improperly leaves a pointer (`gdi->drawing`) dangling to freed memory. Subsequent arrival of related update packets triggers the UAF during client-side processing, as detailed in the affected code at libfreerdp/cache/offscreen.c lines 114-122 and 87-91.

A remote attacker controlling a malicious RDP server can exploit this against FreeRDP clients connecting to it over the network, with no privileges, user interaction, or special conditions required (CVSS 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation reliably causes a client crash for denial-of-service (DoS), and may enable heap corruption leading to arbitrary code execution depending on the memory allocator's behavior and heap layout at the time.

The FreeRDP security advisory (GHSA-cfgj-vc84-f3pp) and release notes for version 3.21.0 confirm a patch addressing the dangling pointer issue. Security practitioners should upgrade FreeRDP clients to 3.21.0 or later and audit deployments for vulnerable versions.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free,…

more

causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

UAF in FreeRDP client exploited by malicious RDP server enables remote code execution (T1203) via heap corruption and reliable client crash for DoS (T1499.004) with no user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25952Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-25953Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp
CVE-2026-25959Same product: Freerdp Freerdp
CVE-2026-25997Same product: Freerdp Freerdp
CVE-2026-26986Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.21.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability by requiring timely patching of FreeRDP to version 3.21.0 or later.

prevent

Provides memory protection mechanisms that specifically address use-after-free errors, mitigating heap corruption and potential code execution from offscreen bitmap processing.

detect

Enables identification of vulnerable FreeRDP versions through vulnerability scanning, facilitating remediation before exploitation by malicious RDP servers.

References