CVE-2026-26986
Published: 25 February 2026
Summary
CVE-2026-26986 is a high-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free/double-free in FreeRDP X11 RAIL client module is triggered by a malicious RDP server during connection, directly causing targeted client crash (availability impact only) via application exploitation.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash…
more
table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
Deeper analysisAI
CVE-2026-26986 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). The issue affects versions prior to 3.23.0, specifically in the X11 client module's Remote Applications Integrated Launching (RAIL) functionality within the file `xf_rail.c`. During `rail_window_free`, the function dereferences a freed `xfAppWindow` pointer while performing `HashTable_Free` cleanup on the `railWindows` hash table. This occurs because `xf_rail_window_common` prematurely calls `free(appWindow)` on title allocation failure without removing the entry from the hash table, resulting in a dangling pointer that is freed again upon disconnect.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can exploit it by establishing an RDP connection to a vulnerable FreeRDP client and triggering the title allocation failure condition during RAIL window handling. Successful exploitation leads to a double-free, causing the client to crash and resulting in denial of service.
FreeRDP version 3.23.0 addresses the vulnerability by fixing the pointer handling logic in `xf_rail.c`. References to the affected code include lines 1230-1238, 1297, 1316-1327, 386-394, and 395-399 in the repository, highlighting the precise locations of the premature free and subsequent dereference. Security practitioners should prioritize upgrading to version 3.23.0 or later for affected deployments.
Details
- CWE(s)