CVE-2026-22851
Publication date 14 January 2026
Last updated 18 March 2026
Ubuntu priority
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| freerdp | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| freerdp2 | 25.10 questing | Not in release |
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| freerdp3 | 25.10 questing |
Fixed 3.16.0+dfsg-2ubuntu0.3
|
| 24.04 LTS noble |
Fixed 3.5.1+dfsg1-0ubuntu1.4
|
|
| 22.04 LTS jammy | Not in release |
Notes
mdeslaur
The commit below fixes the issue in client/SDL/SDL3/sdl_freerdp.cpp but the code in client/SDL/SDL2/sdl_freerdp.cpp is similar, but perhaps with a smaller window. Asked about SDL2 in https://github.com/FreeRDP/FreeRDP/pull/12103/
References
Related Ubuntu Security Notices (USN)
- USN-8105-1
- FreeRDP vulnerabilities
- 18 March 2026