CVE-2026-27950

{"id": "CVE-2026-27950", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-25T22:16:27.297", "references": [{"url": "https://github.com/FreeRDP/FreeRDP/blob/master/client/SDL/SDL2/sdl_pointer.cpp#L63-L64", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/FreeRDP/FreeRDP/commit/5f62aa11c1bdf00f94c40ea9ebb260a752740b80", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/FreeRDP/FreeRDP/commit/c42ecbd183b001e76bfc3614cddfad0034acc758", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rvfg-86cr-5r6p", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0."}, {"lang": "es", "value": "FreeRDP es una implementaci\u00f3n gratuita del Protocolo de Escritorio Remoto. Antes de la versi\u00f3n 3.23.0, la correcci\u00f3n para el uso despu\u00e9s de liberaci\u00f3n del mont\u00f3n descrita en CVE-2026-24680 est\u00e1 incompleta. Aunque el flujo de ejecuci\u00f3n vulnerable referenciado en el aviso existe en la implementaci\u00f3n de SDL2, la correcci\u00f3n parece haberse aplicado solo a la ruta de c\u00f3digo de SDL3. En la implementaci\u00f3n de SDL2, el puntero no se anula despu\u00e9s de la liberaci\u00f3n. Esto crea una situaci\u00f3n donde el aviso sugiere que la vulnerabilidad est\u00e1 completamente resuelta, mientras que las compilaciones o entornos que a\u00fan usan SDL2 pueden retener la l\u00f3gica vulnerable. Una correcci\u00f3n completa est\u00e1 disponible en la versi\u00f3n 3.23.0."}], "lastModified": "2026-02-27T19:10:21.367", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31715854-6D23-4207-AB69-27707C7B2D42", "versionEndExcluding": "3.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}