FreeRDP RDPSND Heap Use-After-Free Vulnerability in Async Playback Thread

A heap-use-after-free vulnerability has been identified in FreeRDP versions prior to 3.22.0. The issue arises in the RDPSND asynchronous playback thread, which can process queued Protocol Data Units (PDUs) after the channel has been closed and the internal state has been freed. This leads to a use-after-free condition in the function 'rdpsnd_treat_wave'. The vulnerability can be exploited by a malicious server, causing a client-side crash and potential heap corruption, with a risk of code execution depending on the behavior of the memory allocator and the layout of the surrounding heap.

Impact

Exploitation of this vulnerability leads to a heap-use-after-free condition, causing a crash and potential heap corruption. This could allow for code execution, depending on the behavior of the memory allocator and the layout of the heap.

Reproduction

In FreeRDP versions prior to 3.22.0, enable the RDPSND channel in asynchronous mode. When the playback thread is active, close the RDPSND channel without properly terminating the playback thread. The playback thread will continue to process queued PDUs, leading to a use-after-free condition.

Remediation

Users can upgrade to FreeRDP version 3.22.0 or later, where this vulnerability has been fixed.