CVE-2026-25954
- Source
- https://cve.org/CVERecord?id=CVE-2026-25954
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25954.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-25954
- Aliases
-
- GHSA-cc88-4j37-mw6j
- Downstream
- Related
- Published
- 2026-02-25T20:30:32.755Z
- Modified
- 2026-04-11T03:29:11.164517Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- FreeRDP has heap-use-after-free in xf_rail_server_local_move_size
- Details
-
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,
xf_rail_server_local_move_sizedereferences a freedxfAppWindowpointer becausexf_rail_get_windowreturns an unprotected pointer from therailWindowshash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-416" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25954.json" }- References
-
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1076
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1133
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1230-L1238
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1347
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L1350-L1359
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_rail.c#L647
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25954.json
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cc88-4j37-mw6j
- https://nvd.nist.gov/vuln/detail/CVE-2026-25954
- https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5
Affected packages
Git / github.com/freerdp/freerdp
Affected versions
1.*
1.0-beta1
1.0-beta2
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9
2.*
2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-rc0
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
Database specific
vanir_signatures_modified
"2026-04-11T03:29:11Z"
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25954.json"
vanir_signatures
[
{
"target": {
"function": "xf_event_FocusIn",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 513.0,
"function_hash": "75837091431541601740380331260091358148"
},
"id": "CVE-2026-25954-017924d9",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_event_process",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 3050.0,
"function_hash": "22973731691484862972653496078683120928"
},
"id": "CVE-2026-25954-12f73a9f",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_AppWindowFromX11Window",
"file": "client/X11/xf_window.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 453.0,
"function_hash": "23200884935117665525377049537457058650"
},
"id": "CVE-2026-25954-16844d5d",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"file": "client/X11/xf_graphics.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"44673252754752056707207287291659148122",
"68960096304915171709642711924066095224",
"112203422276409991341665843174931163158",
"287929655737443704867510933086786283503",
"136485949688349305491201824278643362230",
"65899939309582869623527256161074101563",
"5302634347044414798734493223824736900",
"204647710964931083942397673366739921509",
"102866755006462261539663683791426131355",
"320511176892895844202654366671958461192"
]
},
"id": "CVE-2026-25954-1f716c5a",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Line"
},
{
"target": {
"function": "xf_rail_window_icon",
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 886.0,
"function_hash": "204295825869548836340241452797673502695"
},
"id": "CVE-2026-25954-255387a6",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_rail_get_window",
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 179.0,
"function_hash": "281731135428023223362948923820949594821"
},
"id": "CVE-2026-25954-324e0e0d",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_event_PropertyNotify",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 2251.0,
"function_hash": "69400924494583286231215138004942292746"
},
"id": "CVE-2026-25954-389363f1",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_generic_ButtonEvent_",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1472.0,
"function_hash": "266765011002614472888604417435064364988"
},
"id": "CVE-2026-25954-3f2bf117",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_rail_server_local_move_size",
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1999.0,
"function_hash": "200188261524607825774297838101079840883"
},
"id": "CVE-2026-25954-40ff590a",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"file": "client/X11/xf_rail.h"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"226919538306740003565690342486162279561",
"251155835213179431702178645114047667052",
"314680457102360911193712648773395575478",
"207727511189290111637850477303547342401"
]
},
"id": "CVE-2026-25954-5569ae0a",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Line"
},
{
"target": {
"function": "xf_Pointer_get_window",
"file": "client/X11/xf_graphics.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 423.0,
"function_hash": "324093026589464826599292129433268503378"
},
"id": "CVE-2026-25954-5a532e8d",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"314244460059056733953048378602504828637",
"182149786279931250698884564817390020147",
"96932440155253206636615370290979895906",
"315855352110099805353052910493683885304",
"297860274695320679705148421052269080683",
"248500041384610759500258656230912547899",
"33022763258294882018258984649940840640",
"119760258307694884713454554291995660765",
"178980942139261650059928223700616991726",
"46307607556846559298072881631321639083",
"225516755723121644138092005815444184540",
"142884467943271514874735125179914806799",
"89022989499393010022129417352940458650",
"205976167112500604988627798480653405059",
"207084124333456976809716014244968951230",
"101285319493404979185020738277123888499",
"200087521580019504678519124765649165236",
"336617139838008560452615679223493499599",
"179358929201564920887592241080335913546",
"284914613184670261180703495675846103787",
"187106011133650755446964032837763929108",
"15827093710187999023891671510502249252",
"243912350724904516526496485599169352692",
"33787159016585236036200416520097349530",
"323776909658798363433999052631404719003",
"291211799838988678957013018568412107332",
"38832024327886231875749886598002840874",
"291277135682931318147180137519994813256",
"164408806172928660649034432079265791332",
"37355179913163555034661935998724204422",
"218448127113415679216966050744983463203",
"197268446232866894735294384283330962735",
"282668036818301328704618932041094486216",
"15827093710187999023891671510502249252",
"243912350724904516526496485599169352692",
"33787159016585236036200416520097349530",
"329327805827823978467973349321255282442",
"29478054235938281245213960629722161698",
"289329691092166037621633851681340883640",
"40676159025883371986993765960870822620",
"323720684728727821014794572931999446619",
"31592913548634770728011873568283140093",
"185789966691577112503236520756585371434",
"164130101730139061253253419969749366887",
"158125137518758388114937375401545390452",
"47881951969597421123457796597277440030",
"102065666641645124249209730636502930329",
"301045459522769310820627867277560964181"
]
},
"id": "CVE-2026-25954-6191cd4e",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Line"
},
{
"target": {
"file": "client/X11/xf_window.h"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"229189004214700062739512292114659193685",
"251760257960158531626835841419025064286",
"107429319597352126187062181214386832628",
"210788495062329298101406564644293664583"
]
},
"id": "CVE-2026-25954-64c9e866",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Line"
},
{
"target": {
"function": "xf_event_MapNotify",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 287.0,
"function_hash": "178925766441469339411944227582274747127"
},
"id": "CVE-2026-25954-72c65040",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_event_ClientMessage",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 437.0,
"function_hash": "78790820364576145761685872528230989776"
},
"id": "CVE-2026-25954-8b247f02",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_rail_server_min_max_info",
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 448.0,
"function_hash": "130106076230108205809210995131259296506"
},
"id": "CVE-2026-25954-950b69a3",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"file": "client/X11/xf_window.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"109938019600704347933353324734647267182",
"208236195258375533333151423508801408170",
"169100885811334821926027612628032928614",
"97720161735645922729014100177939915912",
"339748501656917803867555038344455439722",
"262685611587175159443457401620197191472",
"100826930096020411002273823518300986444",
"309284812112128396781603878612030243846",
"122300329447619617625658241378743313680",
"45393429958987014060637276971128531606",
"67274351715292177402894163217968672867",
"145711955325202161207351981930436098001",
"253582338782778065112043807607971892585",
"94961324942242581340341737885658487184",
"336842993116974378556457463387466002004",
"303572181237658098601572305184389164048",
"119393301694049453040440815765344083479",
"108394429480729108641155054118833607364",
"206340244611780401015762028485650475937",
"206397693253899801195800589431292027007",
"271313428045300393965296506107012261809",
"127043214434878497795137657514039363312"
]
},
"id": "CVE-2026-25954-95eac0ae",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Line"
},
{
"target": {
"function": "xf_AppUpdateWindowFromSurface",
"file": "client/X11/xf_window.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 2121.0,
"function_hash": "45219925652229067446348718489840589365"
},
"id": "CVE-2026-25954-aa69c52b",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_generic_MotionNotify_",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 915.0,
"function_hash": "263654978323021991949199072151025027004"
},
"id": "CVE-2026-25954-b7024f3b",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_event_EnterNotify",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 434.0,
"function_hash": "87608716134825076747642785769015989811"
},
"id": "CVE-2026-25954-cbafc6bf",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_rail_paint_surface",
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1034.0,
"function_hash": "298115818439167927602235944779367289479"
},
"id": "CVE-2026-25954-de4730cc",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_event_UnmapNotify",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 340.0,
"function_hash": "295196610994003079758328911245876743540"
},
"id": "CVE-2026-25954-e4526239",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_rail_send_activate",
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 397.0,
"function_hash": "168352026439176294489774536499499827384"
},
"id": "CVE-2026-25954-e743c22d",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"260239918427052148937414284090451044794",
"181015808665536195148456594979616356279",
"290925896583534694601752304222148630229",
"264763975542750029625084600565222211245",
"136262975178112812573410381558835383335",
"181015808665536195148456594979616356279",
"17511994865893495393311866571415537494",
"264763975542750029625084600565222211245",
"83031112826900185457698744815246722964",
"124008181315498986139877066872612056116",
"245553934032943671337652567928306145500",
"216891618838784046732011212710910230095",
"246598946299062751996918415336877603276",
"139678862652051853313634343949535968728",
"180071069969730910124531170851274102242",
"126931302297120663633616480414361271218",
"40748461832853791263784211711986093771",
"109229349104694696503986641746570897389",
"131457338739179732873551599790384053838",
"279037000907220776805611731364216240746",
"280587232732650678785924321879187743110",
"299061175993701942198024163538140296675",
"309903823016104765096687453816896324911",
"107748498684136312259978204257507424903",
"186061529073450775632976479893495194322",
"263010684443426162867165993591138687809",
"140505237705740234257460918735422111036",
"130057574374784928490921186869079612229",
"74981900291928099756501764316536564514",
"53598107304935456723172842383701054521",
"78814811171026847283074873282993123387",
"161078659567847640820436682880138261217",
"252887400529574292626266155114249439144",
"199517928564442643338835757142561244881",
"2332034561737088077423950358427776492",
"63023319149774050960125992398873200987",
"331110472572483874120045135043000840957",
"163577270280717700012261543036491788055",
"294878490301817193654524479350241520264",
"226321398110708121878178987022518402835",
"123290613589404069118931614723184114869",
"147794273560154867071961221344743640439",
"15644662961233804202564373218720061415",
"12929708016380719032269009265648975834",
"53762541811133422175088257516861739618",
"276924060784929863436813550129021671525",
"333665177027783029537035224209088695172",
"277575409288601477170770598924639328667",
"217514894282575070001499137481261330213",
"339686446211889114775084454062983354324",
"277871715204890944849270898918765713741",
"192301477657426368376082063029024890514",
"281744816872314703379992372183793936050",
"210771769538906044388440192813640596011",
"142604019225729826816532863877772206370",
"30740980557203566963381005758862307746",
"24559136452625343955934870385455685482",
"123260134160298831349625236935017912232",
"147632274620324077042487904732842608301",
"163400421679659989194856942476303804236",
"177195388512543586191901903504376627405",
"115297947155202044217651398397439755647",
"35487060983812109706536535958099993777",
"141539780723801666483975159601686647948",
"327650864840262155846421520973750755599",
"8810559010630627487303649031299700487",
"145228288505908013240046824273557557425",
"181105449984066219016522275788870868932",
"194904293442386071979202039909949222711",
"229927805238642415270532402153913183941",
"86797936907190064028668498472671018938",
"101071543047490151532673918909803138347",
"199547109875554066229643125835039381497",
"308494887924298405265249603702320333321",
"278720669317588318825395133154223446348",
"281344896985228061869961869829726506441",
"207171420579102811627725599645121195210",
"295349130815150717614251480828725260481"
]
},
"id": "CVE-2026-25954-ecbf4216",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Line"
},
{
"target": {
"function": "xf_event_LeaveNotify",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 383.0,
"function_hash": "159152595824656439334618811792800004516"
},
"id": "CVE-2026-25954-f8d74d04",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_rail_window_cached_icon",
"file": "client/X11/xf_rail.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 712.0,
"function_hash": "172750151809165435386777107242205562177"
},
"id": "CVE-2026-25954-fb7f5bbf",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_XSetTransientForHint",
"file": "client/X11/xf_window.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 311.0,
"function_hash": "123064250889863563138005263344954301961"
},
"id": "CVE-2026-25954-ff481fdf",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
},
{
"target": {
"function": "xf_event_ConfigureNotify",
"file": "client/X11/xf_event.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 2192.0,
"function_hash": "26507239305519702796563545062970228517"
},
"id": "CVE-2026-25954-ff6cc165",
"source": "https://github.com/freerdp/freerdp/commit/1994e9844212a6dfe0ff12309fef520e888986b5",
"signature_type": "Function"
}
]