CVE-2026-25941
Out-of-Bounds Read in FreeRDP RDPGFX Channel Causes Info Disclosure
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | From 2.0.0 (inc) to 2.11.8 (exc) |
| freerdp | freerdp | From 3.0.0 (inc) to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25941 is an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel, specifically in the handling of the WIRE_TO_SURFACE_2 PDU."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the function processing this PDU reads a bitmapDataLength field and advances the stream pointer without verifying that the stream contains enough data. This lack of validation allows a malicious RDP server to send a crafted packet with a bitmapDataLength larger than the actual data, causing the client to read beyond the valid buffer into uninitialized heap memory.'}, {'type': 'paragraph', 'content': 'This can lead to information disclosure or client crashes when a user connects to a malicious server. The issue was fixed by adding proper validation to ensure the stream contains sufficient data before advancing the pointer.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a malicious RDP server to cause your FreeRDP client to read uninitialized heap memory, potentially disclosing sensitive information.
Additionally, it can cause client crashes (denial of service) due to invalid memory access.
Exploitation requires only that the user connects to a malicious RDP server; no special privileges or authentication on the server side are needed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when a FreeRDP client connects to a malicious RDP server that sends a crafted WIRE_TO_SURFACE_2 PDU with an invalid bitmapDataLength value. Detection involves monitoring FreeRDP client behavior for crashes or abnormal memory reads during RDP sessions.
A practical detection method is to run FreeRDP built with AddressSanitizer enabled. When connecting to suspicious or untrusted RDP servers, AddressSanitizer can detect heap-buffer-overflow reads triggered by malformed PDUs.
There are no specific network commands provided in the resources to detect this vulnerability directly on the network. However, monitoring FreeRDP client logs for errors related to stream processing or crashes during RDP connections may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update FreeRDP to a fixed version: 2.11.8 or later on the 2.x branch, or 3.23.0 or later on the 3.x branch.
These versions include a patch that adds proper validation of the bitmapDataLength field in the WIRE_TO_SURFACE_2 PDU, preventing out-of-bounds reads by verifying stream length before advancing the pointer.
Until the update can be applied, avoid connecting FreeRDP clients to untrusted or potentially malicious RDP servers, as exploitation requires user interaction by connecting to a malicious server.