CVE-2026-27950
Published: 25 February 2026
Summary
CVE-2026-27950 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of the heap use-after-free in FreeRDP SDL2 clients directly produces application crashes and instability (high availability impact, no code execution), mapping exactly to T1499.004 Application or System Exploitation.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix…
more
appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.
Deeper analysisAI
CVE-2026-27950 is a heap-use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. It stems from an incomplete fix for the issue originally described in CVE-2026-24680. While the prior advisory indicated resolution, the patch was applied only to the SDL3 code path, leaving the SDL2 implementation vulnerable. In SDL2, a pointer is freed but not nulled, enabling use-after-free conditions in affected builds or environments prior to version 3.23.0. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By triggering the vulnerable execution flow in FreeRDP clients using SDL2, attackers can cause a heap-use-after-free, leading to denial of service through application crashes or instability, with high impact on availability but no direct confidentiality or integrity effects.
The FreeRDP security advisory (GHSA-rvfg-86cr-5r6p) and related commits detail the mitigation: upgrade to version 3.23.0, which applies the pointer-nulling fix to both SDL2 and SDL3 paths. Specific changes appear in commits like 5f62aa11c1bdf00f94c40ea9ebb260a752740b80 and c42ecbd183b001e76bfc3614cddfad0034acc758, addressing the SDL2 file sdl_pointer.cpp at lines 63-64.
Details
- CWE(s)