CVE-2026-25954
Use-After-Free Vulnerability in FreeRDP RAIL Window Handling
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25954 is a heap-use-after-free vulnerability in the FreeRDP client, specifically in the function xf_rail_server_local_move_size within the X11 RAIL channel implementation.
The issue occurs because the function xf_rail_get_window returns a raw pointer to an xfAppWindow structure from a hash table without holding a lock during its use. Meanwhile, the main thread can concurrently delete this window and free the pointer.
As a result, the RAIL channel thread may dereference a pointer that has already been freed, leading to a use-after-free condition. This can cause crashes or memory corruption.
The vulnerability was confirmed by AddressSanitizer detecting heap-use-after-free errors during testing with rapid window create, move/size, and delete operations.
The issue is fixed in FreeRDP version 3.23.0 by ensuring the pointer is protected during its usage, either by reference counting or holding the hash table lock for the entire operation.
How can this vulnerability impact me? :
This vulnerability can be exploited by a malicious RDP server to cause the FreeRDP client to crash, resulting in a denial of service.
Additionally, depending on the memory allocator behavior and heap layout, exploitation could lead to heap corruption and potentially allow arbitrary code execution on the client machine.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a heap-use-after-free in the FreeRDP client related to concurrent access to freed pointers in the RAIL channel implementation.
Detection can be performed by monitoring FreeRDP client crashes or abnormal behavior during RDP sessions, especially when rapid window create, move/size, and delete operations occur.
Using debugging tools like AddressSanitizer (ASan) during testing can help detect heap-use-after-free errors related to this issue.
There are no specific network commands provided to detect this vulnerability directly on the network.
On the system running FreeRDP, you can run FreeRDP under AddressSanitizer or other memory error detectors to catch use-after-free errors.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where this vulnerability is fixed.
The fix involves ensuring that the pointer to the window structure is properly protected during its use, preventing concurrent deletion.
Until the upgrade is applied, avoid connecting to untrusted or malicious RDP servers that might exploit this vulnerability to cause client crashes or heap corruption.