CVE-2026-25941
Published: 25 February 2026
Summary
CVE-2026-25941 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Freerdp Freerdp. Its CVSS base score is 4.3 (Medium).
Operationally, ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws like the out-of-bounds read in vulnerable FreeRDP versions, directly enabling patching to the fixed releases (2.11.8 or 3.23.0).
SI-10 mandates input validation mechanisms at protocol entry points such as the RDPGFX channel, directly countering the improper validation of bitmapDataLength in WIRE_TO_SURFACE_2 PDUs (CWE-20).
SI-16 enforces memory protections like ASLR and DEP that mitigate information disclosure from uninitialized heap memory accessed via out-of-bounds reads.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows…
more
a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.
Deeper analysisAI
CVE-2026-25941 is an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel, affecting FreeRDP versions on the 2.x branch prior to 2.11.8 and on the 3.x branch prior to 3.23.0. FreeRDP is a free implementation of the Remote Desktop Protocol. The flaw occurs when processing a crafted WIRE_TO_SURFACE_2 PDU with a bitmapDataLength value larger than the actual data in the packet, allowing access to uninitialized heap memory. It is rated 4.3 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) and maps to CWE-20 (Improper Input Validation) and CWE-125 (Out-of-bounds Read).
A remote attacker controlling a malicious RDP server can exploit this vulnerability when a user connects to it using a vulnerable FreeRDP client. The attacker sends the crafted PDU during the RDP session, potentially reading sensitive uninitialized heap memory from the client, leading to information disclosure. This may also cause client crashes, though the CVSS score reflects low confidentiality impact with no integrity or availability effects.
The FreeRDP security advisory (GHSA-3546-x645-5cf8) and corresponding commit (2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2) detail the fix, recommending upgrades to FreeRDP version 2.11.8 or later for the 2.x branch, and 3.23.0 or later for the 3.x branch as the primary mitigation.
Details
- CWE(s)