{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27950", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.690Z", "datePublished": "2026-02-25T21:05:23.581Z", "dateUpdated": "2026-02-26T20:38:07.068Z"}, "containers": {"cna": {"title": "FreeRDP heap-use-after-free in update_pointer_new(SDL): Fix Applied in the Wrong File", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p"}, {"name": "https://github.com/FreeRDP/FreeRDP/commit/5f62aa11c1bdf00f94c40ea9ebb260a752740b80", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreeRDP/FreeRDP/commit/5f62aa11c1bdf00f94c40ea9ebb260a752740b80"}, {"name": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758"}, {"name": "https://github.com/FreeRDP/FreeRDP/blob/master/client/SDL/SDL2/sdl_pointer.cpp#L63-L64", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreeRDP/FreeRDP/blob/master/client/SDL/SDL2/sdl_pointer.cpp#L63-L64"}], "affected": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"version": "< 3.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T21:05:23.581Z"}, "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0."}], "source": {"advisory": "GHSA-rvfg-86cr-5r6p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T20:37:16.691890Z", "id": "CVE-2026-27950", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:38:07.068Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "FreeRDP heap-use-after-free in update_pointer_new(SDL): Fix Applied in the Wrong File", "source": {"advisory": "GHSA-rvfg-86cr-5r6p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"status": "affected", "version": "< 3.23.0"}]}], "references": [{"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p", "name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FreeRDP/FreeRDP/commit/5f62aa11c1bdf00f94c40ea9ebb260a752740b80", "name": "https://github.com/FreeRDP/FreeRDP/commit/5f62aa11c1bdf00f94c40ea9ebb260a752740b80", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758", "name": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FreeRDP/FreeRDP/blob/master/client/SDL/SDL2/sdl_pointer.cpp#L63-L64", "name": "https://github.com/FreeRDP/FreeRDP/blob/master/client/SDL/SDL2/sdl_pointer.cpp#L63-L64", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T21:05:23.581Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T20:37:16.691890Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-26T20:38:01.796Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-27950", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:05:23.581Z", "dateReserved": "2026-02-25T03:11:36.690Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T21:05:23.581Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "matchCriteriaId": "31715854-6D23-4207-AB69-27707C7B2D42", "versionEndExcluding": "3.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0."}, {"lang": "es", "value": "FreeRDP es una implementaci\u00f3n gratuita del Protocolo de Escritorio Remoto. Antes de la versi\u00f3n 3.23.0, la correcci\u00f3n para el uso despu\u00e9s de liberaci\u00f3n del mont\u00f3n descrita en CVE-2026-24680 est\u00e1 incompleta. Aunque el flujo de ejecuci\u00f3n vulnerable referenciado en el aviso existe en la implementaci\u00f3n de SDL2, la correcci\u00f3n parece haberse aplicado solo a la ruta de c\u00f3digo de SDL3. En la implementaci\u00f3n de SDL2, el puntero no se anula despu\u00e9s de la liberaci\u00f3n. Esto crea una situaci\u00f3n donde el aviso sugiere que la vulnerabilidad est\u00e1 completamente resuelta, mientras que las compilaciones o entornos que a\u00fan usan SDL2 pueden retener la l\u00f3gica vulnerable. Una correcci\u00f3n completa est\u00e1 disponible en la versi\u00f3n 3.23.0."}], "id": "CVE-2026-27950", "lastModified": "2026-02-27T19:10:21.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T22:16:27.297", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/FreeRDP/FreeRDP/blob/master/client/SDL/SDL2/sdl_pointer.cpp#L63-L64"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FreeRDP/FreeRDP/commit/5f62aa11c1bdf00f94c40ea9ebb260a752740b80"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "freerdp: FreeRDP: Denial of service due to incomplete fix for heap-use-after-free vulnerability", "id": "2442780", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442780"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-825", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27950", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-25T21:05:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27950\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27950\nhttps://github.com/FreeRDP/FreeRDP/blob/master/client/SDL/SDL2/sdl_pointer.cpp#L63-L64\nhttps://github.com/FreeRDP/FreeRDP/commit/5f62aa11c1bdf00f94c40ea9ebb260a752740b80\nhttps://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758\nhttps://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p"], "threat_severity": "Moderate"}