CVE-2026-27950
Published: 25 February 2026
Summary
CVE-2026-27950 is a medium-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27950 is a heap-use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. It stems from an incomplete fix for the issue originally described in CVE-2026-24680. While the prior advisory indicated resolution, the patch was applied only to the SDL3 code path, leaving the SDL2 implementation vulnerable. In SDL2, a pointer is freed but not nulled, enabling use-after-free conditions in affected builds or environments prior to version 3.23.0. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By triggering the vulnerable execution flow in FreeRDP clients using SDL2, attackers can cause a heap-use-after-free, leading to denial of service through application crashes or instability, with high impact on availability but no direct confidentiality or integrity effects.
The FreeRDP security advisory (GHSA-rvfg-86cr-5r6p) and related commits detail the mitigation: upgrade to version 3.23.0, which applies the pointer-nulling fix to both SDL2 and SDL3 paths. Specific changes appear in commits like 5f62aa11c1bdf00f94c40ea9ebb260a752740b80 and c42ecbd183b001e76bfc3614cddfad0034acc758, addressing the SDL2 file sdl_pointer.cpp at lines 63-64.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8754
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix…
more
appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of the heap use-after-free in FreeRDP SDL2 clients directly produces application crashes and instability (high availability impact, no code execution), mapping exactly to T1499.004 Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of flaws like the incomplete heap-use-after-free fix in FreeRDP's SDL2 implementation prior to version 3.23.0.
Requires vulnerability scanning to identify systems using vulnerable FreeRDP versions affected by the unnulled pointer after free in SDL2.
Ensures monitoring and response to security advisories such as GHSA-rvfg-86cr-5r6p, enabling awareness and patching of the incomplete SDL2 fix.