Bug 2442780 (CVE-2026-27950)

Summary: CVE-2026-27950 freerdp: FreeRDP: Denial of service due to incomplete fix for heap-use-after-free vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in FreeRDP. An incomplete fix for a heap-use-after-free vulnerability (CVE-2026-24680) in the SDL2 implementation allows a remote attacker to trigger a denial of service. The pointer is not nulled after being freed, which can lead to memory corruption. This issue means that environments still using SDL2 may remain vulnerable despite the previous advisory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2442804, 2442808, 2442815, 2442821, 2442817    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-25 22:02:02 UTC 
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.