CVE-2026-26986 - Vulnerability Analysis

Overview

FreeRDP prior to 3.23.0 contains a use-after-free vulnerability caused by dereferencing a freed xfAppWindow pointer during HashTable_Free cleanup, letting remote attackers cause a denial of service, exploit requires disconnect event.

Severity & Score

Impact

Attackers can cause a denial of service by crashing the application due to use-after-free.

Mitigation

Update to version 3.23.0 or later.

References

• https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L401-L404
• https://github.com/FreeRDP/FreeRDP/commit/b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51
• https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-crqx-g6x5-rx47
• https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238
• https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1297
• https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1316-L1327
• https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L386-L394
• https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L395-L399

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 1, 2026

🟠 CVE-2026-26986 - High (7.5) FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on titl... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26986/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner