Description
FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_receive due to improper synchronization of channel_callback access. A malicious RDP server can trigger a race condition by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, causing heap-use-after-free in the drdynvc client thread and potentially enabling remote code execution or denial of service.
Problem types
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Product status
Any version before 3.22.0
3.22.0 (semver)
Credits
jeremylaratro
References
github.com/...reeRDP/security/advisories/GHSA-3mv2-5q57-2v8h
github.com/...reeRDP/security/advisories/GHSA-3mv2-5q57-2v8h (GitHub Security Advisory (GHSA-3mv2-5q57-2v8h))
www.vulncheck.com/...e-condition-in-drdynvc-channel-callback (VulnCheck Advisory: FreeRDP - Use-After-Free via Race Condition in DRDYNVC Channel Callback)