Double free in FreeRDP - #VU136922

 

Double free in FreeRDP - #VU136922

Published: July 6, 2026


Vulnerability identifier: #VU136922
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-415
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: FreeRDP
Affected software:
FreeRDP

Detailed vulnerability description

The vulnerability allows a remote attacker to cause memory corruption.

The vulnerability exists due to double free in freerdp_client_rdp_file_apply_to_settings() when parsing a crafted selectedmonitors field in a .rdp file. A remote attacker can trick the victim into opening a crafted .rdp file to cause memory corruption.

User interaction is required to open the crafted connection file, and the issue is reachable in the default configuration of the FreeRDP CLI clients.


Remediation

Install security update from vendor's website.

Sources