CVE-2026-25953
Published: 25 February 2026
Summary
CVE-2026-25953 is a critical-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the specific use-after-free flaw in FreeRDP versions prior to 3.23.0 to eliminate the vulnerability.
Implements memory safeguards such as ASLR and DEP to mitigate exploitation of the use-after-free vulnerability leading to arbitrary code execution.
Provides process isolation for the FreeRDP client to contain potential code execution from the race-condition triggered use-after-free.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The use-after-free vulnerability in FreeRDP client enables remote code execution via crafted RDP traffic from a malicious server, directly mapping to Exploitation for Client Execution (T1203).
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can…
more
concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
Deeper analysisAI
CVE-2026-25953 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol client. In versions prior to 3.23.0, the function `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` object. This occurs because the RDPGFX DVC thread obtains a bare pointer to the window via `xf_rail_get_window` without lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. The affected components are in the X11 client modules, specifically `xf_rail.c` and `xf_window.c`.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no privileges or user interaction required. An attacker controlling a malicious RDP server can exploit FreeRDP clients connecting to it by sending crafted RDP traffic that triggers the race condition, potentially leading to arbitrary code execution, data corruption, or denial of service on the client system.
Version 3.23.0 of FreeRDP addresses the issue, as indicated in the vulnerability description. Relevant code changes can be reviewed in the provided GitHub references, including lines in `xf_rail.c` (1230-1237, 257-290, 643-647) and `xf_window.c` (1394-1428, 1462-1470), which highlight the problematic pointer handling and window management logic fixed upstream. Security practitioners should prioritize upgrading affected FreeRDP deployments to mitigate exploitation risk.
Details
- CWE(s)