CVE-2026-25954

CVE-2026-25954 affects FreeRDP. The vulnerability arises in the RAIL path where xf_rail_get_window returns a pointer from the railWindows hash table that is freed by the main thread while the RAIL channel thread is still using it, allowing dereferencing of a freed xfAppWindow pointer. This race c...

CVE-2026-25953 FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (freed appWindow)

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, xfAppUpdateWindowFromSurface reads from a freed xfAppWindow because the RDPGFX DVC thread obtains a bare pointer via xfrailgetwindow without any lifetime protection, while the main thread can concurrently...

CVE-2026-25952

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, xfSetWindowMinMaxInfo dereferences a freed xfAppWindow pointer because xfrailgetwindow in xfrailserverminmaxinfo returns an unprotected pointer from the railWindows hash table, and the main thread can...

PT-2026-22009

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.23.0 Description FreeRDP is a free implementation of the Remote Desktop Protocol. Versions before 3.23.0 contain a flaw where the xf SetWindowMinMaxInfo function improperly dereferences a freed xfAppWindow pointer...