CVE-2026-25952

CVE-2026-25952 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol client. The issue affects versions prior to 3.23.0 and occurs in the X11 client's RAIL channel handling, specifically within the `xf_SetWindowMinMaxInfo` function. This function dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer retrieved from the `railWindows` hash table. A race condition arises when the main thread concurrently deletes the window via a window delete order while the RAIL channel thread continues using the pointer.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. A remote attacker controlling an RDP server can exploit this by sending crafted RAIL messages, such as min-max info or window delete orders, to a connecting FreeRDP client. Successful exploitation could lead to arbitrary code execution, denial of service, or compromise of confidentiality, integrity, and availability on the client system.

The fix is available in FreeRDP version 3.23.0, which addresses the race condition by properly protecting the pointer usage. Relevant code changes are visible in the FreeRDP GitHub repository at specific lines in `client/X11/xf_rail.c`, including modifications around lines 1167, 1174, 1178, 1230-1238, and 643. Security practitioners should prioritize updating affected FreeRDP clients to version 3.23.0 or later to mitigate the issue.