Cyber Resilience

CVE-2026-25941

MediumPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.0028 19.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25941 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Freerdp Freerdp. Its CVSS base score is 4.3 (Medium).

Operationally, ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25941 is an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel, affecting FreeRDP versions on the 2.x branch prior to 2.11.8 and on the 3.x branch prior to 3.23.0. FreeRDP is a free implementation of the Remote Desktop Protocol. The flaw occurs when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual data in the packet, allowing access to uninitialized heap memory. It is rated 4.3 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) and maps to CWE-20 (Improper Input Validation) and CWE-125 (Out-of-bounds Read).

A remote attacker controlling a malicious RDP server can exploit this vulnerability when a user connects to it using a vulnerable FreeRDP client. The attacker sends the crafted PDU during the RDP session, potentially reading sensitive uninitialized heap memory from the client, leading to information disclosure. This may also cause client crashes, though the CVSS score reflects low confidentiality impact with no integrity or availability effects.

The FreeRDP security advisory (GHSA-3546-x645-5cf8) and corresponding commit (2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2) detail the fix, recommending upgrades to FreeRDP version 2.11.8 or later for the 2.x branch, and 3.23.0 or later for the 3.x branch as the primary mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows…

more

a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31885Same product: Freerdp Freerdp
CVE-2026-25942Same product: Freerdp Freerdp
CVE-2026-33982Same product: Freerdp Freerdp
CVE-2026-31897Same product: Freerdp Freerdp
CVE-2026-22855Same product: Freerdp Freerdp
CVE-2026-22859Same product: Freerdp Freerdp
CVE-2026-22858Same product: Freerdp Freerdp
CVE-2026-33985Same product: Freerdp Freerdp
CVE-2026-29774Same product: Freerdp Freerdp
CVE-2026-29775Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
2.0.0 — 2.11.8 · 3.0.0 — 3.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the out-of-bounds read in vulnerable FreeRDP versions, directly enabling patching to the fixed releases (2.11.8 or 3.23.0).

prevent

SI-10 mandates input validation mechanisms at protocol entry points such as the RDPGFX channel, directly countering the improper validation of bitmapDataLength in WIRE_TO_SURFACE_2 PDUs (CWE-20).

prevent

SI-16 enforces memory protections like ASLR and DEP that mitigate information disclosure from uninitialized heap memory accessed via out-of-bounds reads.

References