CVE-2026-25952
Published: 25 February 2026
Summary
CVE-2026-25952 is a critical-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, prioritization, and timely remediation of flaws such as the use-after-free vulnerability in FreeRDP prior to version 3.23.0 by applying the available patch.
Implements memory protection mechanisms like address space randomization and data execution prevention that reduce the exploitability of use-after-free vulnerabilities in multithreaded applications like FreeRDP.
Requires vulnerability scanning and monitoring to identify systems running vulnerable FreeRDP versions affected by this race condition, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free vulnerability in FreeRDP RDP client exploitable by malicious RDP server via crafted RAIL messages for arbitrary code execution on client, directly mapping to Exploitation for Client Execution.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete…
more
the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Deeper analysisAI
CVE-2026-25952 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol client. The issue affects versions prior to 3.23.0 and occurs in the X11 client's RAIL channel handling, specifically within the `xf_SetWindowMinMaxInfo` function. This function dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer retrieved from the `railWindows` hash table. A race condition arises when the main thread concurrently deletes the window via a window delete order while the RAIL channel thread continues using the pointer.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. A remote attacker controlling an RDP server can exploit this by sending crafted RAIL messages, such as min-max info or window delete orders, to a connecting FreeRDP client. Successful exploitation could lead to arbitrary code execution, denial of service, or compromise of confidentiality, integrity, and availability on the client system.
The fix is available in FreeRDP version 3.23.0, which addresses the race condition by properly protecting the pointer usage. Relevant code changes are visible in the FreeRDP GitHub repository at specific lines in `client/X11/xf_rail.c`, including modifications around lines 1167, 1174, 1178, 1230-1238, and 643. Security practitioners should prioritize updating affected FreeRDP clients to version 3.23.0 or later to mitigate the issue.
Details
- CWE(s)