<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FreeRDP &lt; 3.22.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/freerdp--3.22.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 14:23:25 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/freerdp--3.22.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-56297 - FreeRDP Use-After-Free Vulnerability Leading to RCE/DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-freerdp-use-after-free/</link><pubDate>Wed, 08 Jul 2026 14:23:25 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-freerdp-use-after-free/</guid><description>A use-after-free vulnerability (CVE-2026-56297) in the FreeRDP client before version 3.22.0 allows a malicious RDP server to achieve remote code execution or denial of service on connecting clients by triggering a race condition through concurrent DYNVC_DATA and DYNVC_CLOSE messages.</description><content:encoded><![CDATA[<p>CVE-2026-56297 describes a critical use-after-free vulnerability affecting FreeRDP client versions prior to 3.22.0. This flaw, residing within the <code>dvcman_channel_close</code> and <code>dvcman_call_on_receive</code> functions, arises from improper synchronization of <code>channel_callback</code> access. An attacker can exploit this by operating a malicious RDP server, which sends specially crafted <code>DYNVC_DATA</code> and <code>DYNVC_CLOSE</code> messages concurrently. This race condition leads to a heap-use-after-free condition in the <code>drdynvc</code> client thread, potentially resulting in remote code execution (RCE) or a denial of service (DoS) on the connecting FreeRDP client. The vulnerability was published on July 8, 2026, and impacts users of the FreeRDP client library. Defenders should prioritize patching and be aware of malicious RDP servers targeting their FreeRDP-enabled endpoints.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The victim uses a FreeRDP client version prior to 3.22.0 to connect to a malicious RDP server.</li>
<li>The malicious RDP server initiates dynamic virtual channel (DYNVC) communication with the client.</li>
<li>The server crafts and sends <code>DYNVC_DATA</code> and <code>DYNVC_CLOSE</code> messages concurrently to the client.</li>
<li>Due to improper synchronization within <code>dvcman_channel_close</code> and <code>dvcman_call_on_receive</code>, a race condition is triggered in the FreeRDP client's <code>drdynvc</code> thread.</li>
<li>This race condition causes a heap-use-after-free error within the client's memory.</li>
<li>The malicious RDP server can leverage this memory corruption to achieve remote code execution on the client, or simply cause the client application to crash, leading to a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-56297 can lead to severe consequences for organizations utilizing vulnerable FreeRDP clients. Attackers controlling a malicious RDP server could execute arbitrary code on the client machine, potentially leading to full system compromise, data exfiltration, or further network lateral movement. Alternatively, they could trigger a denial of service, rendering the FreeRDP client application unusable and disrupting user access to legitimate RDP sessions. While no specific victim counts or targeted sectors are mentioned, any organization whose users connect to untrusted RDP servers via affected FreeRDP clients is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all FreeRDP client installations to version 3.22.0 or later to patch CVE-2026-56297.</li>
<li>Implement strict policies and controls on which RDP servers users are permitted to connect to, especially when using FreeRDP clients.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>RCE</category><category>DoS</category><category>FreeRDP</category><category>client-side</category></item></channel></rss>