CVE-2026-26986

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, rail_window_free dereferences a freed xfAppWindow pointer during HashTable_Free cleanup because xf_rail_window_common calls free(appWindow) on title allocation failure without first removing the entry from the railWindows hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-416"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26986.json"
}

References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type

GIT

Repo

https://github.com/freerdp/freerdp

Events

Introduced

Fixed

b933ae18d9ad2a1d73c610868fcc30eb61654070

Fixed

b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.23.0"
        }
    ]
}

Affected versions

1.*

1.0-beta1

1.0-beta2

1.0-beta4

1.0-beta5

1.0.0

1.0.1

1.1.0-beta+2013071101

1.1.0-beta1

1.1.0-beta1+android2

1.1.0-beta1+android3

1.1.0-beta1+android4

1.1.0-beta1+android5

1.1.0-beta1+ios1

1.1.0-beta1+ios2

1.1.0-beta1+ios3

1.1.0-beta1+ios4

1.2.0-beta1+android7

1.2.0-beta1+android9

2.*

2.0.0

2.0.0-beta1+android10

2.0.0-beta1+android11

2.0.0-rc0

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

3.*

3.0.0

3.0.0-beta1

3.0.0-beta2

3.0.0-beta3

3.0.0-beta4

3.0.0-rc0

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

Database specific

vanir_signatures_modified

"2026-04-11T03:29:18Z"

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-26986.json"

vanir_signatures

[
    {
        "target": {
            "function": "xf_rail_window_common",
            "file": "client/X11/xf_rail.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 6246.0,
            "function_hash": "240970775091850251955784091515732459955"
        },
        "id": "CVE-2026-26986-265ea781",
        "source": "https://github.com/freerdp/freerdp/commit/b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "client/X11/xf_rail.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "53796879253749681813118752091107077786",
                "285643395316838240869894869564148723409",
                "281694856166870700492809226888479456399",
                "325070522899973520407875706441847113121",
                "102837558029218901955210709703231038539",
                "24932369292916951742978035890992647467",
                "303637180569525202361148970753398490927",
                "92545014916748460506689181564842516689",
                "335627375761816351341327773846069799052",
                "217997837448314580348867727570467466864",
                "208157579910403290065071801618121141539",
                "257265186546262234873440531203658841283",
                "183268348372063425315287816805334730981",
                "108659695409281188759969866699814669928",
                "215849500187198486070308556252177599779"
            ]
        },
        "id": "CVE-2026-26986-b510b39a",
        "source": "https://github.com/freerdp/freerdp/commit/b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51",
        "signature_type": "Line"
    }
]