CVE-2026-25952

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.23.0

Description FreeRDP is a free implementation of the Remote Desktop Protocol. Versions before 3.23.0 contain a flaw where the xf SetWindowMinMaxInfo function improperly dereferences a freed xfAppWindow pointer. This occurs because the xf rail get window function, within xf rail server min max info, returns a pointer from the railWindows hash table without protection. Simultaneously, the main thread can delete the window, while the RAIL channel thread is still utilizing the pointer.

Recommendations Update to version 3.23.0 or later.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2026:16014

ALSA-2026:16019

ALSA-2026:16482

BDU:2026-04146

CVE-2026-25952

GHSA-CGQM-CWJG-7W9X

OESA-2026-2439

OESA-2026-2440

OESA-2026-2441

OESA-2026-2442

OPENSUSE-SU-2026:10408-1

OPENSUSE-SU-2026:10611-1

OPENSUSE-SU-2026:20632-1

OPENSUSE-SU-2026:20657-1

RHSA-2026:16014

RHSA-2026:16019

RHSA-2026:16482

RHSA-2026:16483

RHSA-2026:16485

RHSA-2026:16777

RHSA-2026:16814

RHSA-2026:16865

RHSA-2026:16866

RHSA-2026:19142

RHSA-2026:19358

RHSA-2026:19811

SUSE-SU-2026:1632-1

SUSE-SU-2026:1633-1

SUSE-SU-2026:1634-1

SUSE-SU-2026:1635-1

SUSE-SU-2026:1640-1

SUSE-SU-2026:21436-1

USN-8105-1

Affected Products

Freerdp

Linuxmint

Rocky Linux

Ubuntu

CVE-2026-25952

Weakness Enumeration

Related Identifiers

Affected Products

References · 136