Use After Free Affecting libwinpr package, versions <2:2.11.7-1.el9_7.1


Severity

Recommended
high

Based on AlmaLinux security rating.

Threat Intelligence

EPSS
0.4% (33rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALMALINUX9-LIBWINPR-15263657
  • published11 Feb 2026
  • disclosed5 Feb 2026

Introduced: 5 Feb 2026

CVE-2026-23883  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade AlmaLinux:9 libwinpr to version 2:2.11.7-1.el9_7.1 or higher.
This issue was patched in ALSA-2026:2048.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libwinpr package and not the libwinpr package as distributed by AlmaLinux. See How to fix? for AlmaLinux:9 relevant fixed versions and status.

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, xf_Pointer_New frees cursorPixels on failure, then pointer_free calls xf_Pointer_Free and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

CVSS Base Scores

version 3.1