CVE-2026-26986 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: February 27, 2026
FreeRDP - Use After Free
Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable
Overview
FreeRDP prior to 3.23.0 contains a use-after-free vulnerability caused by dereferencing a freed xfAppWindow pointer during HashTable_Free cleanup, letting remote attackers cause a denial of service, exploit requires disconnect event.
Severity & Score
Severity: High
CVSS Score: 7.5
Impact
Attackers can cause a denial of service by crashing the application due to use-after-free.
Mitigation
Update to version 3.23.0 or later.
References
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L395-L399
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L401-L404
- https://github.com/FreeRDP/FreeRDP/commit/b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-crqx-g6x5-rx47
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1297
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1316-L1327
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L386-L394
Related Resources
Details
- CVE ID
- CVE-2026-26986
- Severity
- High
- CVSS Score
- 7.5
- Type
- use_after_free
- Status
- confirmed
CWE
- CWE-416
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H