CVE-2026-26986
Published: 25 February 2026
Summary
CVE-2026-26986 is a medium-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-26986 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). The issue affects versions prior to 3.23.0, specifically in the X11 client module's Remote Applications Integrated Launching (RAIL) functionality within the file `xf_rail.c`. During `rail_window_free`, the function dereferences a freed `xfAppWindow` pointer while performing `HashTable_Free` cleanup on the `railWindows` hash table. This occurs because `xf_rail_window_common` prematurely calls `free(appWindow)` on title allocation failure without removing the entry from the hash table, resulting in a dangling pointer that is freed again upon disconnect.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can exploit it by establishing an RDP connection to a vulnerable FreeRDP client and triggering the title allocation failure condition during RAIL window handling. Successful exploitation leads to a double-free, causing the client to crash and resulting in denial of service.
FreeRDP version 3.23.0 addresses the vulnerability by fixing the pointer handling logic in `xf_rail.c`. References to the affected code include lines 1230-1238, 1297, 1316-1327, 386-394, and 395-399 in the repository, highlighting the precise locations of the premature free and subsequent dereference. Security practitioners should prioritize upgrading to version 3.23.0 or later for affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8748
Vulnerability details
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash…
more
table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free/double-free in FreeRDP X11 RAIL client module is triggered by a malicious RDP server during connection, directly causing targeted client crash (availability impact only) via application exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the use-after-free vulnerability by requiring timely installation of the FreeRDP 3.23.0 patch that fixes the dangling pointer issue in xf_rail.c.
Implements memory safeguards like ASLR and DEP that hinder exploitation of use-after-free and double-free conditions leading to client crashes.
Ensures secure error handling during title allocation failures to prevent premature freeing of xfAppWindow pointers without hash table removal.