CVE-2026-25952

CRITICAL

FreeRDP <3.23.0 - Use After Free

Title source: llm
STIX 2.1

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.

References (11)

Core 11
Core References

Scores

CVSS v3 9.8
EPSS 0.0016
EPSS Percentile 36.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-416
Status published
Products (1)
freerdp/freerdp < 3.23.0
Published Feb 25, 2026
Tracked Since Feb 26, 2026