Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap use‑after‑free leading to memory corruption
Action: Apply Patch
AI Analysis

Impact

FreeRDP’s RAIL channel contains a heap‑use‑after‑free in the function xf_SetWindowMinMaxInfo. The flaw occurs when a window is deleted by the main thread while a separate RAIL server thread still accesses the freed xfAppWindow structure, causing an invalid memory dereference. This memory corruption can result in an application crash. The potential for code execution is not explicitly documented; based on typical heap corruption effects, it is inferred that an attacker could possibly trigger arbitrary code execution if the crash is exploitable, but this claim is tentative.

Affected Systems

All FreeRDP releases before version 3.23.0 that include the xf_rail code are vulnerable. The issue resides in the client component that handles RAIL window min/max data and affects any system that accepts remote clients with the RAIL channel enabled.

Risk and Exploitability

The base CVSS score is 5.5, indicating moderate severity. The EPSS score of <1% reflects a very low probability of exploitation at the time of analysis. Because the flaw is exercised through the RAIL channel during a remote desktop session, it is inferred that an attacker must establish a RAIL‑enabled session and trigger window min/max updates while a window is removed. The vulnerability is not listed in CISA’s KEV catalog, so it has not been confirmed as a publicly exploited flaw. Administrators should consider the moderate impact and low exploitation likelihood when prioritizing remediation.

Generated by OpenCVE AI on April 18, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.23.0 or later to apply the vendor patch.
  • Disable the RAIL channel if an upgrade cannot be performed immediately, preventing the vulnerable code path from being exercised.
  • Monitor client and server logs for crashes or abnormal behaviors that could indicate an attempted exploitation of the memory corruption.

Generated by OpenCVE AI on April 18, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Title FreeRDP has heap-use-after-free in xf_SetWindowMinMaxInfo
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:56:24.771Z

Reserved: 2026-02-09T17:13:54.065Z

Link: CVE-2026-25952

cve-icon Vulnrichment

Updated: 2026-02-26T15:56:10.643Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:41.290

Modified: 2026-02-27T14:55:25.187

Link: CVE-2026-25952

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:24:07Z

Links: CVE-2026-25952 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses