一、 漏洞 CVE-2026-22851 基础信息
漏洞信息
# FreeRDP RDPGFX SDL客户端使用后释放漏洞
## 概述
FreeRDP 在 3.20.1 之前版本中存在一个堆 Use-After-Free 漏洞,由 RDPGFX 动态虚拟通道线程与 SDL 渲染线程之间的竞争条件引发。
## 影响版本
3.20.1 之前版本。
## 细节
在处理 RDPGFX ResetGraphics 时,RDPGFX 动态虚拟通道线程与 SDL 渲染线程之间存在竞争条件。一个指向 `sdl->primary`(`SDL_Surface` 类型)的指针在被释放后仍被访问,导致堆 Use-After-Free。
## 影响
攻击者可能利用该漏洞造成服务崩溃或执行任意代码。
神龙判断
是否为 Web 类漏洞: 未知
判断理由:
N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
FreeRDP RDPGFX ResetGraphics race leads to use-after-free in SDL client (sdl->primary)
来源:美国国家漏洞数据库 NVD
漏洞描述信息
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
使用共享资源的并发执行不恰当同步问题(竞争条件)
来源:美国国家漏洞数据库 NVD
漏洞标题
FreeRDP 资源管理错误漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
FreeRDP是FreeRDP团队的一款开源的远程桌面协议(RDP)的实现。 FreeRDP 3.20.1之前版本存在资源管理错误漏洞,该漏洞源于RDPGFX动态虚拟通道线程和SDL渲染线程之间的竞争条件,可能导致堆释放后重用。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
资源管理错误
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2026-22851 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
三、漏洞 CVE-2026-22851 的情报信息
标题: Release 3.20.1 · FreeRDP/FreeRDP · GitHub -- 🔗来源链接
标签:x_refsource_MISC
神龙速读:以下是关于漏洞的关键信息: - **CVEs Identified**: - CVE-2026-22851 - CVE-2026-22852 - CVE-2026-22853 - CVE-2026-22854 - CVE-2026-22855 - CVE-2026-22856 - CVE-2026-22857 - CVE-2026-22858 - CVE-2026-22859 - **Affected Components**: - All vulnerabilities except CVE-2026-22858 impact FreeRDP based clients only. - CVE-2026-22858 also impacts FreeRDP proxy. - FreeRDP based servers are not affected. - **Vulnerabilities Severity**: - All listed vulnerabilities are of medium severity. - **Contributors**: - @ehdgks0627 was acknowledged for uncovering these vulnerabilities through code review and testing.
标题: RDPGFX ResetGraphics race leads to use-after-free in SDL client (sdl->primary) · Advisory · FreeRDP/FreeRDP · GitHub -- 🔗来源链接
标签:x_refsource_CONFIRM
神龙速读:# 漏洞信息 ## Summary - **Package**: FreeRDP (C) - **Affected versions**: <= 3.20.0 - **Patched versions**: 3.20.1 - **CVE ID**: CVE-2026-22851 ## Description A race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to `sdl->primary` (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. ## Details ### 1. Pointer escape `SDL3` SDL/client/SDL/SDL3/sdl_freerdp.cpp Line 367 ```cpp auto surface = sdl->primary.get(); ``` ### 2. Free (ResetGraphics handling) `SDL3` SDL/client/SDL/SDL3/sdl_freerdp.cpp Lines 470-472 ```cpp sdl->primary = SDL_SurfacePtr(SDL_CreateSurfaceFrom(static_cast<int>(gdi->width), static_cast<int>(gdi->height), sdl->sdl_pixel_format, gdi->primary_buffer, static_cast<int>(gdi->stride)), SDL_DestroySurface); ``` This path is executed in the RDPGFX dynamic virtual channel thread. ### 3. Use-after-free `SDL3` SDL/client/SDL/SDL3/sdl_freerdp.cpp Lines 386-387 ```cpp if (!sdl_draw_to_window_rect(sdl, window, surface, { window.offsetX(), window.offsetY() }, rects)) ``` ## PoC - AddressSanitizer ## Impact The vulnerability is caused by improper cross-thread lifetime management of the primary and represents a memory safety violation. ## Affects - FreeRDP SDL client only ## Severities and Weaknesses - **Severity**: Moderate - **Weaknesses**: - CWE-362 - CWE-416
- https://nvd.nist.gov/vuln/detail/CVE-2026-22851
四、漏洞 CVE-2026-22851 的评论
匿名用户
2026-01-15 06:08:15Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.