Cyber Resilience

CVE-2026-27950

Medium

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27950 is a medium-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27950 is a heap-use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. It stems from an incomplete fix for the issue originally described in CVE-2026-24680. While the prior advisory indicated resolution, the patch was applied only to the SDL3 code path, leaving the SDL2 implementation vulnerable. In SDL2, a pointer is freed but not nulled, enabling use-after-free conditions in affected builds or environments prior to version 3.23.0. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By triggering the vulnerable execution flow in FreeRDP clients using SDL2, attackers can cause a heap-use-after-free, leading to denial of service through application crashes or instability, with high impact on availability but no direct confidentiality or integrity effects.

The FreeRDP security advisory (GHSA-rvfg-86cr-5r6p) and related commits detail the mitigation: upgrade to version 3.23.0, which applies the pointer-nulling fix to both SDL2 and SDL3 paths. Specific changes appear in commits like 5f62aa11c1bdf00f94c40ea9ebb260a752740b80 and c42ecbd183b001e76bfc3614cddfad0034acc758, addressing the SDL2 file sdl_pointer.cpp at lines 63-64.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix…

more

appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of the heap use-after-free in FreeRDP SDL2 clients directly produces application crashes and instability (high availability impact, no code execution), mapping exactly to T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24684Same product: Freerdp Freerdp
CVE-2026-24683Same product: Freerdp Freerdp
CVE-2026-24676Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-26986Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-23884Same product: Freerdp Freerdp
CVE-2026-24678Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of flaws like the incomplete heap-use-after-free fix in FreeRDP's SDL2 implementation prior to version 3.23.0.

detect

Requires vulnerability scanning to identify systems using vulnerable FreeRDP versions affected by the unnulled pointer after free in SDL2.

detect

Ensures monitoring and response to security advisories such as GHSA-rvfg-86cr-5r6p, enabling awareness and patching of the incomplete SDL2 fix.

References