Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
Published: 2026-02-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap use‑after‑free in FreeRDP’s rail component
Action: Patch
AI Analysis

Impact

A use‑after‑free vulnerability exists in FreeRDP prior to version 3.23.0. During cleanup, the function that releases a RemoteApp window frees a pointer that has already been freed, which can corrupt heap memory and lead to an application crash. The description implies that an attacker could potentially trigger the flaw by causing the rail window to fail during allocation and then ending the session, which may allow arbitrary memory corruption or denial of service. No confirmed remote code execution is documented.

Affected Systems

The affected product is FreeRDP:FreeRDP. All releases older than version 3.23.0 are vulnerable. The vulnerability is tied to the rail component that handles RemoteApp windows in the X11 client build of FreeRDP.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score is reported as less than 1 %, suggesting a very low probability of exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to create a Remote Desktop Protocol session that exercises the rail component, cause a title allocation to fail, and then disconnect, after which the dangling pointer is freed again. This scenario implies that exploitation would likely be limited to causing a crash or denial of service rather than providing immediate remote code execution.

Generated by OpenCVE AI on April 17, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRDP to version 3.23.0 or later to eliminate the use‑after‑free flaw.
  • If an upgrade is not immediately possible, disable the rail (RemoteApp) feature in FreeRDP configuration so the vulnerable code path is not executed during sessions.
  • Monitor system logs for unexpected crashes or abnormal terminations of FreeRDP during RDP sessions and apply patches promptly when available.

Generated by OpenCVE AI on April 17, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Wed, 25 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
Title FreeRDP has heap-use-after-free in rail_window_free
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:36:03.263Z

Reserved: 2026-02-17T01:41:24.606Z

Link: CVE-2026-26986

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:24.540

Modified: 2026-02-27T19:11:09.313

Link: CVE-2026-26986

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T21:01:16Z

Links: CVE-2026-26986 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses