CVE-2026-56297
Severity CVSS v4.0:
HIGH
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
08/07/2026
Last modified:
10/07/2026
Description
FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_receive due to improper synchronization of channel_callback access. A malicious RDP server can trigger a race condition by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, causing heap-use-after-free in the drdynvc client thread and potentially enabling remote code execution or denial of service.
Impact
Base Score 4.0
8.30
Severity 4.0
HIGH
Base Score 3.x
7.00
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* | 3.22.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



