CVE-2026-25953
Use-After-Free Vulnerability in FreeRDP RDPGFX Component
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25953 is a heap-use-after-free vulnerability in FreeRDP versions up to 3.22.0, specifically in the X11 client code function `xf_AppUpdateWindowFromSurface`.
The issue occurs because the RDPGFX dynamic virtual channel (DVC) thread obtains a raw pointer to a window object (`xfAppWindow`) without any lifetime protection or synchronization, while the main thread can concurrently delete and free that same window object.
This lack of proper locking between the two threads leads to a race condition where the DVC thread accesses a freed window structure, causing a heap-use-after-free error.
The vulnerability was fixed in FreeRDP version 3.23.0 by improving lifetime management and synchronization.
How can this vulnerability impact me? :
This vulnerability can cause the FreeRDP client to dereference freed memory, leading to undefined behavior such as crashes or potential execution of arbitrary code.
An attacker controlling a malicious RDP server could exploit this flaw by sending crafted RDPGFX and window-delete commands to trigger the use-after-free condition.
The impact includes possible denial of service due to client crashes or potentially more severe security consequences if the heap corruption is leveraged for code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for heap-use-after-free conditions in FreeRDP versions up to 3.22.0, especially in the X11 client code related to the function xf_AppUpdateWindowFromSurface. A proof-of-concept involves a malicious RDP server sending multiple GFX SolidFill and EndFrame PDUs followed by a fastpath window-delete order, triggering the use-after-free.
To detect exploitation attempts or the vulnerability on your system, you can use AddressSanitizer or similar memory error detection tools to identify heap-use-after-free errors in FreeRDP processes.
While no specific commands are provided in the resources, general detection steps include running FreeRDP under AddressSanitizer or enabling debug logs to monitor for crashes or invalid memory accesses related to window updates and deletions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability has been fixed by improving lifetime management and synchronization between threads.
Until the upgrade can be applied, avoid connecting to untrusted or malicious RDP servers that might exploit this vulnerability by sending crafted RAIL window and RDPGFX surface commands.