CVE-2026-25953

CVE-2026-25953 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol client. In versions prior to 3.23.0, the function `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` object. This occurs because the RDPGFX DVC thread obtains a bare pointer to the window via `xf_rail_get_window` without lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. The affected components are in the X11 client modules, specifically `xf_rail.c` and `xf_window.c`.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no privileges or user interaction required. An attacker controlling a malicious RDP server can exploit FreeRDP clients connecting to it by sending crafted RDP traffic that triggers the race condition, potentially leading to arbitrary code execution, data corruption, or denial of service on the client system.

Version 3.23.0 of FreeRDP addresses the issue, as indicated in the vulnerability description. Relevant code changes can be reviewed in the provided GitHub references, including lines in `xf_rail.c` (1230-1237, 257-290, 643-647) and `xf_window.c` (1394-1428, 1462-1470), which highlight the problematic pointer handling and window management logic fixed upstream. Security practitioners should prioritize upgrading affected FreeRDP deployments to mitigate exploitation risk.