CVE-2026-25955

CVE-2026-25955 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. It affects versions prior to 3.23.0, specifically in the X11 client component's `xf_AppUpdateWindowFromSurface` function. The flaw arises because `gdi_DeleteSurface` frees `surface->data` without invalidating the cached `appWindow->image` XImage structure that aliases it, allowing the freed RDPGFX surface buffer to be reused via the dangling pointer.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. A remote unauthenticated attacker could exploit it by serving malicious RDP traffic to a victim running a vulnerable FreeRDP client, triggering the use-after-free during surface updates and potentially achieving high-impact confidentiality, integrity, and availability violations such as arbitrary code execution or system crashes on the client machine.

FreeRDP version 3.23.0 resolves the issue, as implemented in commit 169d358734509e82663a0d6a0085ae726d439d8e. The fix addresses the memory invalidation in `gdi_DeleteSurface` and related logic in `xf_window.c` (lines 1484-1492, 1494-1500, 1528) and `gfx.c` (lines 1224-1227). Practitioners should prioritize updating to 3.23.0 or later to mitigate exposure.