CVE-2026-25941

MediumPublic PoC

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS Score 0.0012 30.2th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows…

a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the out-of-bounds read in vulnerable FreeRDP versions, directly enabling patching to the fixed releases (2.11.8 or 3.23.0).

SI-10 Information Input Validation good match

prevent

SI-10 mandates input validation mechanisms at protocol entry points such as the RDPGFX channel, directly countering the improper validation of bitmapDataLength in WIRE_TO_SURFACE_2 PDUs (CWE-20).

SI-16 Memory Protection partial match

prevent

SI-16 enforces memory protections like ASLR and DEP that mitigate information disclosure from uninitialized heap memory accessed via out-of-bounds reads.

Security SummaryAI

CVE-2026-25941 is an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel, affecting FreeRDP versions on the 2.x branch prior to 2.11.8 and on the 3.x branch prior to 3.23.0. FreeRDP is a free implementation of the Remote Desktop Protocol. The flaw occurs when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual data in the packet, allowing access to uninitialized heap memory. It is rated 4.3 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) and maps to CWE-20 (Improper Input Validation) and CWE-125 (Out-of-bounds Read).

A remote attacker controlling a malicious RDP server can exploit this vulnerability when a user connects to it using a vulnerable FreeRDP client. The attacker sends the crafted PDU during the RDP session, potentially reading sensitive uninitialized heap memory from the client, leading to information disclosure. This may also cause client crashes, though the CVSS score reflects low confidentiality impact with no integrity or availability effects.

The FreeRDP security advisory (GHSA-3546-x645-5cf8) and corresponding commit (2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2) detail the fix, recommending upgrades to FreeRDP version 2.11.8 or later for the 2.x branch, and 3.23.0 or later for the 3.x branch as the primary mitigation.

Details

CWE(s): CWE-20 CWE-125

Affected Products

freerdp

2.0.0 — 2.11.8 · 3.0.0 — 3.23.0

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2
Patch · security-advisories@github.com
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8
Exploit, Mitigation, Patch, Vendor Advisory · security-advisories@github.com