CVE-2026-25954
Published: 25 February 2026
Summary
CVE-2026-25954 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in FreeRDP client (triggered by malicious RAIL orders from attacker-controlled RDP server) directly enables application exploitation that crashes the client, matching T1499.004 Endpoint Denial of Service.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window…
more
(via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Deeper analysisAI
CVE-2026-25954 is a use-after-free vulnerability (CWE-416) affecting FreeRDP, a free implementation of the Remote Desktop Protocol client. In versions prior to 3.23.0, the `xf_rail_server_local_move_size` function in the X11 client module (xf_rail.c) dereferences a freed `xfAppWindow` pointer. This flaw arises because `xf_rail_get_window` returns an unprotected pointer retrieved from the `railWindows` hash table, enabling a race condition where the main thread deletes the window via a window delete order while the RAIL channel thread continues using the pointer.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Remote, unauthenticated attackers can exploit it over the network with low complexity and no user interaction by acting as an RDP server and sending crafted Remote Application Integrated Locally (RAIL) orders. Successful exploitation triggers the race condition, causing the FreeRDP client to crash and resulting in a denial-of-service condition with no impact on confidentiality or integrity.
FreeRDP version 3.23.0 fixes the issue. Mitigation requires upgrading affected clients to this version or later. The referenced GitHub links highlight specific vulnerable code locations in xf_rail.c, including lines around `xf_rail_get_window` usage and pointer handling in `xf_rail_server_local_move_size`.
Details
- CWE(s)