CVE-2026-25941Improper Input Validation in Freerdp

CWE-20Improper Input ValidationCWE-125Out-of-bounds ReadCWE-130Improper Handling of Length Parameter Inconsistency7 documents7 sources
Severity
8.1HIGHNVD
CNA4.3
EPSS
0.1%
top 66.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Freerdp
Timeline
PublishedFeb 25
Latest updateMar 18

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDfreerdp/freerdp2.0.02.11.8+1
CVEListV5freerdp/freerdp>= 2.0.0, < 2.11.8, >= 3.0.0, < 3.23.0+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
FreeRDP: vuln_1_15_1 RDPGFX WIRE_TO_SURFACE_2 Out-of-Bounds Read2026-02-25
OSV
CVE-2026-25941: FreeRDP is a free implementation of the Remote Desktop Protocol2026-02-25

📋Vendor Advisories

3
Ubuntu
FreeRDP vulnerabilities2026-03-18
Red Hat
freerdp: FreeRDP: Information disclosure or client crash via out-of-bounds read in RDPGFX channel2026-02-25
Debian
CVE-2026-25941: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25941 Impact, Exploitability, and Mitigation Steps | Wiz