Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap use‑after‑free in FreeRDP can corrupt memory and cause service disruption
Action: Upgrade
AI Analysis

Impact

FreeRDP contains a heap use‑after‑free flaw in the RAIL channel when resizing or moving windows. If the main thread deletes a window while the RAIL thread still accesses its structure, the code dereferences a freed pointer, which can corrupt memory or trigger a crash. This vulnerability is classified as CWE‑416 and CWE‑825, and the possible impact is loss of availability and potential memory corruption. The official description does not state that data leakage or remote code execution is possible; any such effect is inferred and not explicitly asserted in the advisory.

Affected Systems

The flaw is present in all FreeRDP releases prior to version 3.23.0. Any system running the FreeRDP client component with the RAIL channel enabled is affected, regardless of the operating system. The issue is limited to the client side; the server side is not impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote: a malicious RDP client could send crafted RAIL channel messages that trigger concurrent deletion of a window while the server continues to process a move or resize request. Successful exploitation would likely result in a crash or memory corruption but does not provide remote code execution under the conditions described. These attack assumptions are inferred from the described concurrency issue and are not directly stated in the advisory.

Generated by OpenCVE AI on April 18, 2026 at 10:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FreeRDP to version 3.23.0 or newer, which fixes the use‑after‑free in xf_rail_server_local_move_size
  • If an update cannot be applied immediately, disable the RAIL channel in the FreeRDP configuration until a patched client is available
  • Monitor system logs for unexpected segmentation faults or application crashes when handling RDP sessions and investigate any suspicious activity promptly

Generated by OpenCVE AI on April 18, 2026 at 10:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
Title FreeRDP has heap-use-after-free in xf_rail_server_local_move_size
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:54:47.557Z

Reserved: 2026-02-09T17:13:54.065Z

Link: CVE-2026-25954

cve-icon Vulnrichment

Updated: 2026-02-26T15:54:34.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:41.680

Modified: 2026-02-27T14:56:16.663

Link: CVE-2026-25954

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:30:32Z

Links: CVE-2026-25954 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses