CVE-2026-25955
Received Received - Intake
Use-After-Free Vulnerability in FreeRDP RDPGFX Surface Buffer

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25955
EUVD
EUVD-2026-8735
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freerdp freerdp to 3.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25955 is a heap-use-after-free vulnerability in FreeRDP versions prior to 3.23.0, specifically in the function xf_AppUpdateWindowFromSurface within the X11 client code.

The issue occurs because the function reuses a cached XImage whose data pointer references a freed RDPGFX surface buffer. When the surface is deleted, its data buffer is freed but the cached XImage still holds a reference to this freed memory. Later, when the same surface ID and dimensions are reused, the stale XImage is reused without recreating it, causing the program to read from freed heap memory.

This use-after-free can lead to crashes or heap corruption, and potentially arbitrary code execution depending on the heap layout and allocator behavior.

Impact Analysis

A malicious RDP server can exploit this vulnerability to cause a client-side heap use-after-free, which can lead to application crashes (denial of service) and heap corruption.

In some cases, depending on memory allocator behavior and heap layout, this vulnerability may allow an attacker to execute arbitrary code on the client system.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a heap-use-after-free in FreeRDP clients prior to version 3.23.0 when connecting to a malicious RDP server using RemoteApp and RDPGFX features. Detection involves identifying FreeRDP clients running vulnerable versions and monitoring for suspicious RDPGFX surface creation and deletion sequences.

Specifically, detection can focus on clients connecting with the parameters `/gdi:sw /gfx /app:program:notepad.exe` or similar RemoteApp invocations, and observing RDPGFX dynamic channel activity involving CreateSurface, DeleteSurface, and reuse of surface IDs.

While no explicit commands are provided in the resources, you can detect vulnerable FreeRDP versions by running:

  • freerdp --version

To monitor network traffic for suspicious RDPGFX commands, you can use packet capture tools like tcpdump or Wireshark filtering on RDP dynamic channels.

  • tcpdump -i <interface> -w capture.pcap port 3389

Then analyze the capture in Wireshark for RDPGFX CreateSurface and DeleteSurface messages indicating potential exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by properly invalidating cached XImage references when surfaces are deleted.

If upgrading immediately is not possible, consider disabling RemoteApp or RDPGFX features in the FreeRDP client to reduce exposure to the vulnerable code paths.

Additionally, avoid connecting to untrusted or malicious RDP servers, as exploitation requires a malicious server to send crafted RDPGFX commands.

Monitoring client crashes or heap corruption symptoms may also help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart