Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026
FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (freed appWindow)
CVE-2026-25953
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, xf_AppUpdateWindowFromSurface reads from a freed xfAppWindow because the RDPGFX DVC thread obtains a bare pointer via xf_rail_get_window without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.cmitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5mitrex_refsource_MISC
- github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6rq-rxpc-rh3pmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.