CVE-2026-25954
Received Received - Intake
Use-After-Free Vulnerability in FreeRDP RAIL Window Handling

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25954
EUVD
EUVD-2026-8734
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25954 is a heap-use-after-free vulnerability in the FreeRDP client, specifically in the function xf_rail_server_local_move_size within the X11 RAIL channel implementation.

The issue occurs because the function xf_rail_get_window returns a raw pointer to an xfAppWindow structure from a hash table without holding a lock during its use. Meanwhile, the main thread can concurrently delete this window and free the pointer.

As a result, the RAIL channel thread may dereference a pointer that has already been freed, leading to a use-after-free condition. This can cause crashes or memory corruption.

The vulnerability was confirmed by AddressSanitizer detecting heap-use-after-free errors during testing with rapid window create, move/size, and delete operations.

The issue is fixed in FreeRDP version 3.23.0 by ensuring the pointer is protected during its usage, either by reference counting or holding the hash table lock for the entire operation.

Impact Analysis

This vulnerability can be exploited by a malicious RDP server to cause the FreeRDP client to crash, resulting in a denial of service.

Additionally, depending on the memory allocator behavior and heap layout, exploitation could lead to heap corruption and potentially allow arbitrary code execution on the client machine.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a heap-use-after-free in the FreeRDP client related to concurrent access to freed pointers in the RAIL channel implementation.

Detection can be performed by monitoring FreeRDP client crashes or abnormal behavior during RDP sessions, especially when rapid window create, move/size, and delete operations occur.

Using debugging tools like AddressSanitizer (ASan) during testing can help detect heap-use-after-free errors related to this issue.

There are no specific network commands provided to detect this vulnerability directly on the network.

On the system running FreeRDP, you can run FreeRDP under AddressSanitizer or other memory error detectors to catch use-after-free errors.

Mitigation Strategies

The immediate mitigation step is to upgrade FreeRDP to version 3.23.0 or later, where this vulnerability is fixed.

The fix involves ensuring that the pointer to the window structure is properly protected during its use, preventing concurrent deletion.

Until the upgrade is applied, avoid connecting to untrusted or malicious RDP servers that might exploit this vulnerability to cause client crashes or heap corruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart