CVE-2026-25941
Received Received - Intake
Out-of-Bounds Read in FreeRDP RDPGFX Channel Causes Info Disclosure

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25941
EUVD
EUVD-2026-8730
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freerdp freerdp From 2.0.0 (inc) to 2.11.8 (exc)
freerdp freerdp From 3.0.0 (inc) to 3.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25941 is an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel, specifically in the handling of the WIRE_TO_SURFACE_2 PDU."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the function processing this PDU reads a bitmapDataLength field and advances the stream pointer without verifying that the stream contains enough data. This lack of validation allows a malicious RDP server to send a crafted packet with a bitmapDataLength larger than the actual data, causing the client to read beyond the valid buffer into uninitialized heap memory.'}, {'type': 'paragraph', 'content': 'This can lead to information disclosure or client crashes when a user connects to a malicious server. The issue was fixed by adding proper validation to ensure the stream contains sufficient data before advancing the pointer.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing a malicious RDP server to cause your FreeRDP client to read uninitialized heap memory, potentially disclosing sensitive information.

Additionally, it can cause client crashes (denial of service) due to invalid memory access.

Exploitation requires only that the user connects to a malicious RDP server; no special privileges or authentication on the server side are needed.

Compliance Impact

I don't know

Detection Guidance

This vulnerability occurs when a FreeRDP client connects to a malicious RDP server that sends a crafted WIRE_TO_SURFACE_2 PDU with an invalid bitmapDataLength value. Detection involves monitoring FreeRDP client behavior for crashes or abnormal memory reads during RDP sessions.

A practical detection method is to run FreeRDP built with AddressSanitizer enabled. When connecting to suspicious or untrusted RDP servers, AddressSanitizer can detect heap-buffer-overflow reads triggered by malformed PDUs.

There are no specific network commands provided in the resources to detect this vulnerability directly on the network. However, monitoring FreeRDP client logs for errors related to stream processing or crashes during RDP connections may help identify exploitation attempts.

Mitigation Strategies

The primary mitigation is to update FreeRDP to a fixed version: 2.11.8 or later on the 2.x branch, or 3.23.0 or later on the 3.x branch.

These versions include a patch that adds proper validation of the bitmapDataLength field in the WIRE_TO_SURFACE_2 PDU, preventing out-of-bounds reads by verifying stream length before advancing the pointer.

Until the update can be applied, avoid connecting FreeRDP clients to untrusted or potentially malicious RDP servers, as exploitation requires user interaction by connecting to a malicious server.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart