Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap use-after-free that can lead to memory corruption, crash, or potential code execution
Action: Apply Patch
AI Analysis

Impact

FreeRDP’s client code contains a heap‑use‑after‑free bug that can be triggered when the RDPGFX data‑channel thread accesses a window pointer after the main thread has deleted the window. Because the freed memory is then read, an attacker could arrange a sequence of RDP operations that causes a crash or, in the worst case, memory corruption that permits arbitrary code execution. The vulnerability is classified as CWE‑416 and CWE‑825.

Affected Systems

The flaw affects FreeRDP implementations older than version 3.23.0. The affected product is FreeRDP, a free RDP client accessible on multiple operating systems. All builds that use the xf_rail component before the 3.23.0 release are subject to this bug. The vendor designated the affected version range as <3.23.0.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score indicates exploitation probability is below 1%. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the bug is triggered through remote desktop traffic, so the likely attack vector is an attacker who can send specially crafted RDP requests that trigger concurrent window update and deletion events. No public exploit code is known, so the risk primarily manifests as a potential denial‑of‑service or memory corruption event if the attacker can orchestrate the required packet sequence.

Generated by OpenCVE AI on April 17, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeRDP version 3.23.0 or newer to eliminate the vulnerable code
  • Restart the client after applying the update so that all memory references are refreshed
  • If the update cannot be applied immediately, disable the RDPGFX channel or restrict RDP session privileges to reduce the window during which the bug can be triggered.

Generated by OpenCVE AI on April 17, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
Title FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (freed appWindow)
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:55:34.086Z

Reserved: 2026-02-09T17:13:54.065Z

Link: CVE-2026-25953

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:41.483

Modified: 2026-02-27T14:55:56.937

Link: CVE-2026-25953

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:27:00Z

Links: CVE-2026-25953 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses