{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/freerdp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-56297"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeRDP \u003c 3.22.0"],"_cs_severities":["high"],"_cs_tags":["vulnerability","RCE","DoS","FreeRDP","client-side"],"_cs_type":"advisory","_cs_vendors":["FreeRDP"],"content_html":"\u003cp\u003eCVE-2026-56297 describes a critical use-after-free vulnerability affecting FreeRDP client versions prior to 3.22.0. This flaw, residing within the \u003ccode\u003edvcman_channel_close\u003c/code\u003e and \u003ccode\u003edvcman_call_on_receive\u003c/code\u003e functions, arises from improper synchronization of \u003ccode\u003echannel_callback\u003c/code\u003e access. An attacker can exploit this by operating a malicious RDP server, which sends specially crafted \u003ccode\u003eDYNVC_DATA\u003c/code\u003e and \u003ccode\u003eDYNVC_CLOSE\u003c/code\u003e messages concurrently. This race condition leads to a heap-use-after-free condition in the \u003ccode\u003edrdynvc\u003c/code\u003e client thread, potentially resulting in remote code execution (RCE) or a denial of service (DoS) on the connecting FreeRDP client. The vulnerability was published on July 8, 2026, and impacts users of the FreeRDP client library. Defenders should prioritize patching and be aware of malicious RDP servers targeting their FreeRDP-enabled endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim uses a FreeRDP client version prior to 3.22.0 to connect to a malicious RDP server.\u003c/li\u003e\n\u003cli\u003eThe malicious RDP server initiates dynamic virtual channel (DYNVC) communication with the client.\u003c/li\u003e\n\u003cli\u003eThe server crafts and sends \u003ccode\u003eDYNVC_DATA\u003c/code\u003e and \u003ccode\u003eDYNVC_CLOSE\u003c/code\u003e messages concurrently to the client.\u003c/li\u003e\n\u003cli\u003eDue to improper synchronization within \u003ccode\u003edvcman_channel_close\u003c/code\u003e and \u003ccode\u003edvcman_call_on_receive\u003c/code\u003e, a race condition is triggered in the FreeRDP client's \u003ccode\u003edrdynvc\u003c/code\u003e thread.\u003c/li\u003e\n\u003cli\u003eThis race condition causes a heap-use-after-free error within the client's memory.\u003c/li\u003e\n\u003cli\u003eThe malicious RDP server can leverage this memory corruption to achieve remote code execution on the client, or simply cause the client application to crash, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-56297 can lead to severe consequences for organizations utilizing vulnerable FreeRDP clients. Attackers controlling a malicious RDP server could execute arbitrary code on the client machine, potentially leading to full system compromise, data exfiltration, or further network lateral movement. Alternatively, they could trigger a denial of service, rendering the FreeRDP client application unusable and disrupting user access to legitimate RDP sessions. While no specific victim counts or targeted sectors are mentioned, any organization whose users connect to untrusted RDP servers via affected FreeRDP clients is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all FreeRDP client installations to version 3.22.0 or later to patch CVE-2026-56297.\u003c/li\u003e\n\u003cli\u003eImplement strict policies and controls on which RDP servers users are permitted to connect to, especially when using FreeRDP clients.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:23:25Z","date_published":"2026-07-08T14:23:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-freerdp-use-after-free/","summary":"A use-after-free vulnerability (CVE-2026-56297) in the FreeRDP client before version 3.22.0 allows a malicious RDP server to achieve remote code execution or denial of service on connecting clients by triggering a race condition through concurrent DYNVC_DATA and DYNVC_CLOSE messages.","title":"CVE-2026-56297 - FreeRDP Use-After-Free Vulnerability Leading to RCE/DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-freerdp-use-after-free/"}],"language":"en","title":"CraftedSignal Threat Feed - FreeRDP","version":"https://jsonfeed.org/version/1.1"}