Cyber Resilience

CVE-2026-26986

MediumPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 36.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26986 is a medium-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-26986 is a use-after-free vulnerability (CWE-416) in FreeRDP, an open-source implementation of the Remote Desktop Protocol (RDP). The issue affects versions prior to 3.23.0, specifically in the X11 client module's Remote Applications Integrated Launching (RAIL) functionality within the file `xf_rail.c`. During `rail_window_free`, the function dereferences a freed `xfAppWindow` pointer while performing `HashTable_Free` cleanup on the `railWindows` hash table. This occurs because `xf_rail_window_common` prematurely calls `free(appWindow)` on title allocation failure without removing the entry from the hash table, resulting in a dangling pointer that is freed again upon disconnect.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can exploit it by establishing an RDP connection to a vulnerable FreeRDP client and triggering the title allocation failure condition during RAIL window handling. Successful exploitation leads to a double-free, causing the client to crash and resulting in denial of service.

FreeRDP version 3.23.0 addresses the vulnerability by fixing the pointer handling logic in `xf_rail.c`. References to the affected code include lines 1230-1238, 1297, 1316-1327, 386-394, and 395-399 in the repository, highlighting the precise locations of the premature free and subsequent dereference. Security practitioners should prioritize upgrading to version 3.23.0 or later for affected deployments.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash…

more

table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Use-after-free/double-free in FreeRDP X11 RAIL client module is triggered by a malicious RDP server during connection, directly causing targeted client crash (availability impact only) via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24684Same product: Freerdp Freerdp
CVE-2026-24683Same product: Freerdp Freerdp
CVE-2026-24676Same product: Freerdp Freerdp
CVE-2026-24675Same product: Freerdp Freerdp
CVE-2026-25954Same product: Freerdp Freerdp
CVE-2026-24491Same product: Freerdp Freerdp
CVE-2026-24680Same product: Freerdp Freerdp
CVE-2026-27950Same product: Freerdp Freerdp
CVE-2026-23884Same product: Freerdp Freerdp
CVE-2026-24678Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely installation of the FreeRDP 3.23.0 patch that fixes the dangling pointer issue in xf_rail.c.

prevent

Implements memory safeguards like ASLR and DEP that hinder exploitation of use-after-free and double-free conditions leading to client crashes.

prevent

Ensures secure error handling during title allocation failures to prevent premature freeing of xfAppWindow pointers without hash table removal.

References