CVE-2026-25954
Published: 25 February 2026
Summary
CVE-2026-25954 is a medium-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-25954 is a use-after-free vulnerability (CWE-416) affecting FreeRDP, a free implementation of the Remote Desktop Protocol client. In versions prior to 3.23.0, the `xf_rail_server_local_move_size` function in the X11 client module (xf_rail.c) dereferences a freed `xfAppWindow` pointer. This flaw arises because `xf_rail_get_window` returns an unprotected pointer retrieved from the `railWindows` hash table, enabling a race condition where the main thread deletes the window via a window delete order while the RAIL channel thread continues using the pointer.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Remote, unauthenticated attackers can exploit it over the network with low complexity and no user interaction by acting as an RDP server and sending crafted Remote Application Integrated Locally (RAIL) orders. Successful exploitation triggers the race condition, causing the FreeRDP client to crash and resulting in a denial-of-service condition with no impact on confidentiality or integrity.
FreeRDP version 3.23.0 fixes the issue. Mitigation requires upgrading affected clients to this version or later. The referenced GitHub links highlight specific vulnerable code locations in xf_rail.c, including lines around `xf_rail_get_window` usage and pointer handling in `xf_rail_server_local_move_size`.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8734
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window…
more
(via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in FreeRDP client (triggered by malicious RAIL orders from attacker-controlled RDP server) directly enables application exploitation that crashes the client, matching T1499.004 Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely identification, reporting, and correction of the use-after-free flaw in FreeRDP through patching to version 3.23.0 or later.
Implements memory protection safeguards such as address space layout randomization and non-executable memory to mitigate exploitation of the use-after-free vulnerability.
Enables detection of systems running vulnerable FreeRDP versions prior to 3.23.0 through regular vulnerability scanning, facilitating remediation.