FreeRDP SDL Client Race Condition Vulnerability Leading to Heap Use-After-Free

A heap use-after-free vulnerability has been identified in FreeRDP versions prior to 3.20.1. This issue arises from a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread. The vulnerability occurs when an escaped pointer to the primary SDL_Surface is accessed after it has been freed, during the handling of RDPGFX ResetGraphics. This flaw is present in the FreeRDP SDL3 client only.

Impact

Exploitation of this vulnerability creates a use-after-free condition, which can lead to memory corruption. While no direct code execution has been demonstrated, this type of memory safety violation is considered security-relevant.

Reproduction

The vulnerability can be reproduced by using the FreeRDP SDL3 client to connect to a remote desktop session. During the session, the RDPGFX ResetGraphics command is sent, which frees the primary framebuffer surface. If the SDL render thread accesses the same surface pointer before it is properly reinitialized, a use-after-free condition occurs. This can be verified using AddressSanitizer, which will detect the memory safety violation.

Remediation

Users can upgrade to FreeRDP version 3.20.1 or later to address this vulnerability.