CVE-2026-25941 Overview
FreeRDP, a widely-used free implementation of the Remote Desktop Protocol (RDP), contains an out-of-bounds read vulnerability in the client's RDPGFX channel. This vulnerability allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual data contained in the packet. When users connect to a malicious server, this flaw can result in information disclosure or client crashes.
Critical Impact
A malicious RDP server can exploit improper input validation in the RDPGFX channel to read uninitialized heap memory, potentially exposing sensitive information or causing denial of service through client crashes.
Affected Products
- FreeRDP 2.x versions prior to 2.11.8
- FreeRDP 3.x versions prior to 3.23.0
- Systems using vulnerable FreeRDP client implementations
Discovery Timeline
- 2026-02-25 - CVE-2026-25941 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-25941
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the FreeRDP client's handling of WIRE_TO_SURFACE_2 Protocol Data Units (PDUs) within the RDPGFX graphics channel. The RDPGFX channel is responsible for handling graphics rendering commands in RDP sessions.
The vulnerability exists in the rdpgfx_main.c file where the client processes incoming PDUs. When a WIRE_TO_SURFACE_2 PDU is received, the client reads the bitmapDataLength field from the packet and uses this value to seek through the stream. However, prior to the fix, there was no validation to ensure the bitmapDataLength value matched the actual amount of data available in the stream buffer.
An attacker controlling a malicious RDP server can craft a PDU where bitmapDataLength exceeds the actual packet size, causing the client to read beyond the bounds of the allocated buffer into uninitialized heap memory.
Root Cause
The root cause is insufficient bounds checking when processing the bitmapDataLength field in WIRE_TO_SURFACE_2 PDUs. The original code used Stream_Seek() to advance the stream pointer by the attacker-controlled bitmapDataLength value without verifying that sufficient data exists in the stream buffer. This allows an out-of-bounds read when the specified length exceeds the actual available data.
Attack Vector
The attack requires a user to connect their FreeRDP client to a malicious RDP server controlled by the attacker. The attack vector is network-based and requires user interaction (connecting to the malicious server). Upon connection, the malicious server sends a crafted WIRE_TO_SURFACE_2 PDU with an inflated bitmapDataLength value, triggering the out-of-bounds read on the client side.
Stream_Read_UINT8(s, pdu.pixelFormat); /* pixelFormat (1 byte) */
Stream_Read_UINT32(s, pdu.bitmapDataLength); /* bitmapDataLength (4 bytes) */
pdu.bitmapData = Stream_Pointer(s);
- Stream_Seek(s, pdu.bitmapDataLength);
+ if (!Stream_SafeSeek(s, pdu.bitmapDataLength))
+ return ERROR_INVALID_DATA;
DEBUG_RDPGFX(gfx->log,
"RecvWireToSurface2Pdu: surfaceId: %" PRIu16 " codecId: %s (0x%04" PRIX16 ") ",
Source: GitHub Commit Update
Detection Methods for CVE-2026-25941
Indicators of Compromise
- Unexpected FreeRDP client crashes when connecting to RDP servers
- Memory access violations or segmentation faults in FreeRDP client processes
- Abnormal RDPGFX channel traffic containing oversized WIRE_TO_SURFACE_2 PDUs
- Connection attempts to unknown or suspicious RDP servers
Detection Strategies
- Monitor for FreeRDP client crash patterns and correlate with network connection logs to identify potentially malicious servers
- Implement network traffic analysis to detect malformed RDPGFX PDUs with mismatched bitmapDataLength values
- Deploy endpoint detection to identify memory access violations in FreeRDP processes
- Audit RDP connection histories to identify connections to untrusted servers
Monitoring Recommendations
- Enable verbose logging for FreeRDP client applications to capture connection details and error conditions
- Implement network-level monitoring for RDP traffic anomalies, particularly in RDPGFX channel communications
- Configure alerts for repeated FreeRDP client crashes or unexpected terminations
- Monitor for connections to RDP servers outside of approved/trusted lists
How to Mitigate CVE-2026-25941
Immediate Actions Required
- Update FreeRDP 2.x installations to version 2.11.8 or later
- Update FreeRDP 3.x installations to version 3.23.0 or later
- Restrict RDP client connections to trusted, verified servers only
- Implement network segmentation to limit exposure to potentially malicious RDP servers
Patch Information
The vulnerability has been addressed in FreeRDP versions 2.11.8 and 3.23.0. The fix replaces the unsafe Stream_Seek() function with Stream_SafeSeek(), which validates that sufficient data exists in the stream before advancing the pointer. If validation fails, the function returns ERROR_INVALID_DATA, preventing the out-of-bounds read.
For detailed patch information, refer to the GitHub Security Advisory GHSA-3546-x645-5cf8 and the GitHub Commit Update.
Workarounds
- Avoid connecting FreeRDP clients to untrusted or unknown RDP servers until patching is complete
- Use VPN or network access controls to ensure RDP connections only occur within trusted network boundaries
- Consider disabling or restricting RDPGFX channel functionality if not required for operations
- Implement application whitelisting to control which RDP servers users can connect to
# Example: Restrict FreeRDP to connect only to trusted servers
# Create a list of approved RDP servers and validate connections
# before allowing FreeRDP client to establish sessions
# Update FreeRDP on Debian/Ubuntu-based systems
sudo apt update && sudo apt install freerdp2-x11
# Verify FreeRDP version after update
xfreerdp --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
