CVE-2026-23948
📋 TL;DR
A NULL pointer dereference vulnerability in FreeRDP's rdp_write_logon_info_v2() function allows a malicious RDP server to crash FreeRDP proxy instances by sending specially crafted LogonInfoV2 PDUs with zero-length domain or username fields. This affects FreeRDP proxy deployments prior to version 3.22.0, potentially causing denial of service to RDP proxy services.
💻 Affected Systems
- FreeRDP
- FreeRDP Proxy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for FreeRDP proxy services, disrupting RDP connectivity for all users relying on the proxy.
Likely Case
Service disruption and potential downtime for FreeRDP proxy deployments when targeted by malicious RDP servers.
If Mitigated
Minimal impact with proper network segmentation and updated software.
🎯 Exploit Status
Exploitation requires attacker to control an RDP server that the FreeRDP proxy connects to. Simple packet manipulation needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.22.0
Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6f3c-qvqq-2px5
Restart Required: Yes
Instructions:
1. Download FreeRDP 3.22.0 or later from official sources. 2. Stop FreeRDP proxy services. 3. Install/upgrade to version 3.22.0+. 4. Restart FreeRDP proxy services.
🔧 Temporary Workarounds
Network Segmentation
allRestrict FreeRDP proxy connections to trusted RDP servers only using firewall rules.
Service Monitoring and Restart
allImplement monitoring and automatic restart for FreeRDP proxy services to minimize downtime.
🧯 If You Can't Patch
- Implement strict network controls to allow FreeRDP proxy connections only to trusted, internal RDP servers.
- Deploy redundant FreeRDP proxy instances with load balancing to maintain service during potential crashes.
🔍 How to Verify
Check if Vulnerable:
Check FreeRDP version: xfreerdp --version or freerdp-proxy --version. If version is below 3.22.0 and proxy functionality is enabled, system is vulnerable.Check Version:
xfreerdp --version 2>/dev/null | head -1 || freerdp-proxy --version 2>/dev/null | head -1Verify Fix Applied:
After upgrade, verify version is 3.22.0 or higher and test proxy functionality with known good RDP servers.📡 Detection & Monitoring
Log Indicators:
- FreeRDP proxy crash logs
- Segmentation fault errors in system logs
- Unexpected FreeRDP proxy service termination
Network Indicators:
- RDP connections from FreeRDP proxy to untrusted servers
- Abnormal RDP packet patterns with zero-length fields
SIEM Query:
source="*freerdp*" AND ("segmentation fault" OR "crash" OR "null pointer")