Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25941

CVE-2026-25941: FreeRDP Information Disclosure Flaw

CVE-2026-25941 is an information disclosure vulnerability in FreeRDP caused by an out-of-bounds read in the RDPGFX channel. Malicious servers can exploit this to leak heap memory. Learn about affected versions and patches.

Published:

CVE-2026-25941 Overview

FreeRDP, a widely-used free implementation of the Remote Desktop Protocol (RDP), contains an out-of-bounds read vulnerability in the client's RDPGFX channel. This vulnerability allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual data contained in the packet. When users connect to a malicious server, this flaw can result in information disclosure or client crashes.

Critical Impact

A malicious RDP server can exploit improper input validation in the RDPGFX channel to read uninitialized heap memory, potentially exposing sensitive information or causing denial of service through client crashes.

Affected Products

  • FreeRDP 2.x versions prior to 2.11.8
  • FreeRDP 3.x versions prior to 3.23.0
  • Systems using vulnerable FreeRDP client implementations

Discovery Timeline

  • 2026-02-25 - CVE-2026-25941 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-25941

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-20) in the FreeRDP client's handling of WIRE_TO_SURFACE_2 Protocol Data Units (PDUs) within the RDPGFX graphics channel. The RDPGFX channel is responsible for handling graphics rendering commands in RDP sessions.

The vulnerability exists in the rdpgfx_main.c file where the client processes incoming PDUs. When a WIRE_TO_SURFACE_2 PDU is received, the client reads the bitmapDataLength field from the packet and uses this value to seek through the stream. However, prior to the fix, there was no validation to ensure the bitmapDataLength value matched the actual amount of data available in the stream buffer.

An attacker controlling a malicious RDP server can craft a PDU where bitmapDataLength exceeds the actual packet size, causing the client to read beyond the bounds of the allocated buffer into uninitialized heap memory.

Root Cause

The root cause is insufficient bounds checking when processing the bitmapDataLength field in WIRE_TO_SURFACE_2 PDUs. The original code used Stream_Seek() to advance the stream pointer by the attacker-controlled bitmapDataLength value without verifying that sufficient data exists in the stream buffer. This allows an out-of-bounds read when the specified length exceeds the actual available data.

Attack Vector

The attack requires a user to connect their FreeRDP client to a malicious RDP server controlled by the attacker. The attack vector is network-based and requires user interaction (connecting to the malicious server). Upon connection, the malicious server sends a crafted WIRE_TO_SURFACE_2 PDU with an inflated bitmapDataLength value, triggering the out-of-bounds read on the client side.

c
 	Stream_Read_UINT8(s, pdu.pixelFormat);       /* pixelFormat (1 byte) */
 	Stream_Read_UINT32(s, pdu.bitmapDataLength); /* bitmapDataLength (4 bytes) */
 	pdu.bitmapData = Stream_Pointer(s);
-	Stream_Seek(s, pdu.bitmapDataLength);
+	if (!Stream_SafeSeek(s, pdu.bitmapDataLength))
+		return ERROR_INVALID_DATA;

 	DEBUG_RDPGFX(gfx->log,
 	             "RecvWireToSurface2Pdu: surfaceId: %" PRIu16 " codecId: %s (0x%04" PRIX16 ") ",

Source: GitHub Commit Update

Detection Methods for CVE-2026-25941

Indicators of Compromise

  • Unexpected FreeRDP client crashes when connecting to RDP servers
  • Memory access violations or segmentation faults in FreeRDP client processes
  • Abnormal RDPGFX channel traffic containing oversized WIRE_TO_SURFACE_2 PDUs
  • Connection attempts to unknown or suspicious RDP servers

Detection Strategies

  • Monitor for FreeRDP client crash patterns and correlate with network connection logs to identify potentially malicious servers
  • Implement network traffic analysis to detect malformed RDPGFX PDUs with mismatched bitmapDataLength values
  • Deploy endpoint detection to identify memory access violations in FreeRDP processes
  • Audit RDP connection histories to identify connections to untrusted servers

Monitoring Recommendations

  • Enable verbose logging for FreeRDP client applications to capture connection details and error conditions
  • Implement network-level monitoring for RDP traffic anomalies, particularly in RDPGFX channel communications
  • Configure alerts for repeated FreeRDP client crashes or unexpected terminations
  • Monitor for connections to RDP servers outside of approved/trusted lists

How to Mitigate CVE-2026-25941

Immediate Actions Required

  • Update FreeRDP 2.x installations to version 2.11.8 or later
  • Update FreeRDP 3.x installations to version 3.23.0 or later
  • Restrict RDP client connections to trusted, verified servers only
  • Implement network segmentation to limit exposure to potentially malicious RDP servers

Patch Information

The vulnerability has been addressed in FreeRDP versions 2.11.8 and 3.23.0. The fix replaces the unsafe Stream_Seek() function with Stream_SafeSeek(), which validates that sufficient data exists in the stream before advancing the pointer. If validation fails, the function returns ERROR_INVALID_DATA, preventing the out-of-bounds read.

For detailed patch information, refer to the GitHub Security Advisory GHSA-3546-x645-5cf8 and the GitHub Commit Update.

Workarounds

  • Avoid connecting FreeRDP clients to untrusted or unknown RDP servers until patching is complete
  • Use VPN or network access controls to ensure RDP connections only occur within trusted network boundaries
  • Consider disabling or restricting RDPGFX channel functionality if not required for operations
  • Implement application whitelisting to control which RDP servers users can connect to
bash
# Example: Restrict FreeRDP to connect only to trusted servers
# Create a list of approved RDP servers and validate connections
# before allowing FreeRDP client to establish sessions

# Update FreeRDP on Debian/Ubuntu-based systems
sudo apt update && sudo apt install freerdp2-x11

# Verify FreeRDP version after update
xfreerdp --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne