Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.
Published: 2026-02-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure and Potential Crash
Action: Update
AI Analysis

Impact

FreeRDP is a free Remote Desktop Protocol client that contains an out‑of‑bounds read in the RDPGFX channel. A malicious RDP server can send a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength larger than the actual data, causing the client to read uninitialized heap memory. This can leak sensitive data or cause the client to crash. The weakness is identified as buffer overread and improper bounds checking.

Affected Systems

The vulnerability affects FreeRDP versions on the 2.x branch before 2.11.8 and on the 3.x branch before 3.23.0. These releases are used by multiple operating systems that rely on FreeRDP for remote desktop access.

Risk and Exploitability

The CVSS score of 4.3 marks this flaw as moderate severity, and the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to run a malicious RDP server to which a user connects. Once connected, the attacker can trigger the out‑of‑bounds read and obtain information or crash the client. The attack is remote, requires no local privileges, and relies on the client accepting the crafted packet.

Generated by OpenCVE AI on April 17, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeRDP release (2.11.8 or later in the 2.x branch, 3.23.0 or later in the 3.x branch) to eliminate the bug.
  • If upgrading immediately is not possible, block or disable the RDPGFX channel on the client side to prevent the malicious PDU from being processed.
  • Configure the client to reject PDUs with bitmapDataLength values exceeding a safe threshold, or use a network-level firewall to restrict connections to trusted RDP servers.

Generated by OpenCVE AI on April 17, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Freerdp
Freerdp freerdp
Vendors & Products Freerdp
Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.
Title FreeRDP: vuln_1_15_1 RDPGFX WIRE_TO_SURFACE_2 Out-of-Bounds Read
Weaknesses CWE-125
CWE-20
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Freerdp Freerdp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:42.006Z

Reserved: 2026-02-09T16:22:17.787Z

Link: CVE-2026-25941

cve-icon Vulnrichment

Updated: 2026-02-26T20:46:29.565Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:48.413

Modified: 2026-02-27T14:53:29.190

Link: CVE-2026-25941

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T19:55:24Z

Links: CVE-2026-25941 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses