CVE-2026-25955
Use-After-Free Vulnerability in FreeRDP RDPGFX Surface Buffer
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freerdp | freerdp | to 3.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25955 is a heap-use-after-free vulnerability in FreeRDP versions prior to 3.23.0, specifically in the function xf_AppUpdateWindowFromSurface within the X11 client code.
The issue occurs because the function reuses a cached XImage whose data pointer references a freed RDPGFX surface buffer. When the surface is deleted, its data buffer is freed but the cached XImage still holds a reference to this freed memory. Later, when the same surface ID and dimensions are reused, the stale XImage is reused without recreating it, causing the program to read from freed heap memory.
This use-after-free can lead to crashes or heap corruption, and potentially arbitrary code execution depending on the heap layout and allocator behavior.
How can this vulnerability impact me? :
A malicious RDP server can exploit this vulnerability to cause a client-side heap use-after-free, which can lead to application crashes (denial of service) and heap corruption.
In some cases, depending on memory allocator behavior and heap layout, this vulnerability may allow an attacker to execute arbitrary code on the client system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap-use-after-free in FreeRDP clients prior to version 3.23.0 when connecting to a malicious RDP server using RemoteApp and RDPGFX features. Detection involves identifying FreeRDP clients running vulnerable versions and monitoring for suspicious RDPGFX surface creation and deletion sequences.
Specifically, detection can focus on clients connecting with the parameters `/gdi:sw /gfx /app:program:notepad.exe` or similar RemoteApp invocations, and observing RDPGFX dynamic channel activity involving CreateSurface, DeleteSurface, and reuse of surface IDs.
While no explicit commands are provided in the resources, you can detect vulnerable FreeRDP versions by running:
- freerdp --version
To monitor network traffic for suspicious RDPGFX commands, you can use packet capture tools like tcpdump or Wireshark filtering on RDP dynamic channels.
- tcpdump -i <interface> -w capture.pcap port 3389
Then analyze the capture in Wireshark for RDPGFX CreateSurface and DeleteSurface messages indicating potential exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade FreeRDP to version 3.23.0 or later, where the vulnerability is fixed by properly invalidating cached XImage references when surfaces are deleted.
If upgrading immediately is not possible, consider disabling RemoteApp or RDPGFX features in the FreeRDP client to reduce exposure to the vulnerable code paths.
Additionally, avoid connecting to untrusted or malicious RDP servers, as exploitation requires a malicious server to send crafted RDPGFX commands.
Monitoring client crashes or heap corruption symptoms may also help detect exploitation attempts.