FreeRDP Offscreen Bitmap Cache Use-After-Free Vulnerability Leading to Denial-of-Service and Potential Code Execution

A heap-use-after-free vulnerability has been identified in FreeRDP, a free implementation of the Remote Desktop Protocol, prior to version 3.21.0. The issue arises in the offscreen bitmap cache, where the deletion of a bitmap leaves a pointer to freed memory. This dangling pointer can be exploited by a malicious server, causing a client-side crash and potential heap corruption, with a risk of code execution depending on the memory allocator and heap layout.

Impact

Exploitation of this vulnerability leads to a client-side use-after-free, causing a crash and potential heap corruption, with a risk of code execution depending on the memory allocator and heap layout.

Reproduction

The vulnerability can be reproduced by a malicious server that sends update packets related to offscreen bitmaps. The server can delete an existing bitmap, which frees the associated memory without updating the graphics device interface (GDI) to remove the reference. When the server then sends a primary order that includes bounds updates, the FreeRDP client dereferences the dangling pointer, triggering the use-after-free condition.

Remediation

Users can upgrade to FreeRDP version 3.21.0 or later, where this vulnerability has been patched.