CVE-2026-25942 - Vulnerability Details

- FreeRDP has global-buffer-overflow in xf_rail_server_execute_result

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.

Published: 2026-02-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in FreeRDP occurs in the xf_rail_server_execute_result function, where the global error_code_names array is indexed with an unchecked execResult value sent from the RDP server. Because the array only contains seven elements, an execResult value of 7 or higher causes an out‑of‑bounds read. This allows the server to leak arbitrary client memory contents to the attacker, potentially exposing sensitive data. The flaw is a classic buffer read error (CWE‑125) and does not permit remote code execution but can compromise confidentiality.

Affected Systems

All FreeRDP releases prior to version 3.23.0 are affected. The fix is included in FreeRDP 3.23.0 and later.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate impact, and the EPSS score of less than 1% suggests a very low probability of current exploitation. The vulnerability requires a remote RDP server to send a crafted execResult value. No commercial exploitation campaigns are currently known, and the flaw is not listed in CISA’s KEV catalog. Administrators should treat the risk as moderate but action-oriented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeRDP

affected

Version	Status	Constraints
`< 3.23.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Freerdp

100%

Version	Status	Scheme	Platform
`[0,3.23.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FreeRDP to version 3.23.0 or later to apply the official fix.
Restrict RDP connections to trusted networks and enforce strict access controls to reduce exposure to malicious servers.
Monitor RDP traffic for anomalous execResult values or repeated reads of out‑of‑bounds indices, and investigate any suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00097.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L528
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L75-L76
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L1014-L1017
https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L40-L46
https://github.com/FreeRDP/FreeRDP/commit/9362a0bf8dda04eedbca07d5dfaec1044e67cc6b
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6
https://nvd.nist.gov/vuln/detail/CVE-2026-25942
https://www.cve.org/CVERecord?id=CVE-2026-25942

History

Fri, 27 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:freerdp:freerdp::::::::
Metrics	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 27 Feb 2026 05:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freerdp Freerdp freerdp
Vendors & Products		Freerdp Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-25942 https://www.cve.org/CVERecord?id=CVE-2026-25942
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}` threat_severity `Moderate`

Wed, 25 Feb 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
Title		FreeRDP has global-buffer-overflow in xf_rail_server_execute_result
Weaknesses		CWE-125
References		https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L528 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L75-L76 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L1014-L1017 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L40-L46 https://github.com/FreeRDP/FreeRDP/commit/9362a0bf8dda04eedbca07d5dfaec1044e67cc6b https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6
Metrics		cvssV4_0 `{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Freerdp Freerdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-25T20:01:16.472Z

Updated: 2026-02-26T20:47:09.779Z

Reserved: 2026-02-09T16:22:17.787Z

Link: CVE-2026-25942

Vulnrichment

Updated: 2026-02-26T20:47:04.368Z

NVD

Status : Analyzed

Published: 2026-02-25T21:16:41.113

Modified: 2026-02-27T14:54:06.747

Link: CVE-2026-25942

Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:01:16Z

Links: CVE-2026-25942 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object