CVE-2026-25955 - Vulnerability Details

- FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (stale XImage)

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.

Published: 2026-02-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a heap‑use‑after‑free in the FreeRDP client’s window update routine. A cached XImage continues to reference a surface buffer that has already been freed because the surface delete routine does not clear the aliasing pointer. If an attacker can control RDP graphics data, the client may read or write to unintended memory, leading to crashes, memory corruption, or even arbitrary code execution in rare circumstances.

Affected Systems

The vulnerability is present in the FreeRDP client implementation. All releases older than 3.23.0 are affected and may run into the stale XImage reference bug. The affected product is FreeRDP:FreeRDP, and users deploying any version prior to 3.23.0 could be impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur through a remote RDP client that sends crafted graphics updates, triggering the use‑after‑free and causing a crash or memory corruption. Denial of service is the most probable outcome, with a small risk of more severe memory corruption if the attacker has sufficient control over the graphics buffer.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeRDP

affected

Version	Status	Constraints
`< 3.23.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Freerdp

100%

Version	Status	Scheme	Platform
`[0,3.23.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update FreeRDP to version 3.23.0 or later, which removes the stale XImage reference.
Restrict RDP access to trusted users and enforce strong authentication methods to reduce exposure to untrusted clients.
Monitor client logs for segmentation faults or crashes and isolate affected sessions promptly.

Generated by OpenCVE AI on April 17, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227
https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
https://nvd.nist.gov/vuln/detail/CVE-2026-25955
https://www.cve.org/CVERecord?id=CVE-2026-25955

History

Fri, 27 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:freerdp:freerdp::::::::
Metrics	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 26 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freerdp Freerdp freerdp
Vendors & Products		Freerdp Freerdp freerdp

Thu, 26 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://nvd.nist.gov/vuln/detail/CVE-2026-25955 https://www.cve.org/CVERecord?id=CVE-2026-25955
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}` threat_severity `Moderate`

Wed, 25 Feb 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.
Title		FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (stale XImage)
Weaknesses		CWE-416
References		https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492 https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500 https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528 https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227 https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
Metrics		cvssV4_0 `{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Freerdp Freerdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-25T20:32:42.458Z

Updated: 2026-02-26T15:54:09.229Z

Reserved: 2026-02-09T17:13:54.065Z

Link: CVE-2026-25955

Vulnrichment

Updated: 2026-02-26T15:53:56.664Z

NVD

Status : Analyzed

Published: 2026-02-25T21:16:41.857

Modified: 2026-02-27T14:56:40.630

Link: CVE-2026-25955

Redhat

Severity : Moderate

Publid Date: 2026-02-25T20:32:42Z

Links: CVE-2026-25955 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object