Cyber Resilience

CVE-2026-25954

MediumPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 34.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25954 is a medium-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-25954 is a use-after-free vulnerability (CWE-416) affecting FreeRDP, a free implementation of the Remote Desktop Protocol client. In versions prior to 3.23.0, the `xf_rail_server_local_move_size` function in the X11 client module (xf_rail.c) dereferences a freed `xfAppWindow` pointer. This flaw arises because `xf_rail_get_window` returns an unprotected pointer retrieved from the `railWindows` hash table, enabling a race condition where the main thread deletes the window via a window delete order while the RAIL channel thread continues using the pointer.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Remote, unauthenticated attackers can exploit it over the network with low complexity and no user interaction by acting as an RDP server and sending crafted Remote Application Integrated Locally (RAIL) orders. Successful exploitation triggers the race condition, causing the FreeRDP client to crash and resulting in a denial-of-service condition with no impact on confidentiality or integrity.

FreeRDP version 3.23.0 fixes the issue. Mitigation requires upgrading affected clients to this version or later. The referenced GitHub links highlight specific vulnerable code locations in xf_rail.c, including lines around `xf_rail_get_window` usage and pointer handling in `xf_rail_server_local_move_size`.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window…

more

(via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Use-after-free in FreeRDP client (triggered by malicious RAIL orders from attacker-controlled RDP server) directly enables application exploitation that crashes the client, matching T1499.004 Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24684Same product: Freerdp Freerdp
CVE-2026-24683Same product: Freerdp Freerdp
CVE-2026-24676Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-26986Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-23884Same product: Freerdp Freerdp
CVE-2026-24678Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely identification, reporting, and correction of the use-after-free flaw in FreeRDP through patching to version 3.23.0 or later.

prevent

Implements memory protection safeguards such as address space layout randomization and non-executable memory to mitigate exploitation of the use-after-free vulnerability.

detect

Enables detection of systems running vulnerable FreeRDP versions prior to 3.23.0 through regular vulnerability scanning, facilitating remediation.

References