CVE-2026-25952
Use-After-Free in FreeRDP xf_SetWindowMinMaxInfo Causes Crash
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25952 is a use-after-free vulnerability in FreeRDP versions prior to 3.23.0, specifically in the X11 client implementation of the RAIL (Remote Application Integrated Locally) channel. The issue occurs because the function `xf_rail_get_window` returns an unprotected pointer to a window structure (`xfAppWindow`) from a hash table. While one thread (the RAIL channel thread) uses this pointer, the main thread can concurrently delete the window and free the memory. This leads to the RAIL thread dereferencing a pointer to freed memory, causing a heap-use-after-free condition.
This race condition arises when the RAIL channel thread calls `xf_SetWindowMinMaxInfo` using the pointer, while the main thread processes a window delete order that frees the window structure. The vulnerability can cause crashes or heap corruption, and potentially allow code execution depending on memory allocator behavior.
How can this vulnerability impact me? :
This vulnerability can be exploited by a malicious RDP server to cause the FreeRDP client to crash, resulting in a denial of service (DoS).
Additionally, because the issue involves use-after-free and heap corruption, there is a potential risk that an attacker could execute arbitrary code on the client system, depending on the heap layout and allocator behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or heap-use-after-free errors in the FreeRDP client, especially when connecting to RAIL-capable RDP servers that rapidly send window create, ServerMinMaxInfo PDUs, and window delete orders.
A practical detection method is to build the FreeRDP client with AddressSanitizer enabled and observe if heap-use-after-free errors occur during RDP sessions involving RAIL channel operations.
There are no specific network commands provided in the resources, but monitoring client logs for crashes or using debugging tools like AddressSanitizer during RDP sessions can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by introducing proper locking and unlocking around the hash table managing RAIL windows.
If upgrading is not immediately possible, avoid connecting to untrusted or malicious RDP servers that might exploit this race condition.
Additionally, monitoring for updates or patches from the FreeRDP project and applying them promptly is recommended.