CVE-2026-25955
Published: 25 February 2026
Summary
CVE-2026-25955 is a critical-severity Use After Free (CWE-416) vulnerability in Freerdp Freerdp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-25955 by requiring timely application of the FreeRDP 3.23.0 patch that corrects the use-after-free in surface buffer management.
Provides memory protection techniques like ASLR and DEP that hinder exploitation of the dangling pointer in the freed RDPGFX surface buffer.
Enables identification of vulnerable FreeRDP versions prior to 3.23.0 through vulnerability scanning, prompting remediation of the use-after-free flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free vulnerability in FreeRDP RDP client enables remote unauthenticated arbitrary code execution via malicious RDP traffic with no user interaction, directly facilitating T1203: Exploitation for Client Execution.
NVD Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version…
more
3.23.0 fixes the issue.
Deeper analysisAI
CVE-2026-25955 is a use-after-free vulnerability (CWE-416) in FreeRDP, a free implementation of the Remote Desktop Protocol. It affects versions prior to 3.23.0, specifically in the X11 client component's `xf_AppUpdateWindowFromSurface` function. The flaw arises because `gdi_DeleteSurface` frees `surface->data` without invalidating the cached `appWindow->image` XImage structure that aliases it, allowing the freed RDPGFX surface buffer to be reused via the dangling pointer.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. A remote unauthenticated attacker could exploit it by serving malicious RDP traffic to a victim running a vulnerable FreeRDP client, triggering the use-after-free during surface updates and potentially achieving high-impact confidentiality, integrity, and availability violations such as arbitrary code execution or system crashes on the client machine.
FreeRDP version 3.23.0 resolves the issue, as implemented in commit 169d358734509e82663a0d6a0085ae726d439d8e. The fix addresses the memory invalidation in `gdi_DeleteSurface` and related logic in `xf_window.c` (lines 1484-1492, 1494-1500, 1528) and `gfx.c` (lines 1224-1227). Practitioners should prioritize updating to 3.23.0 or later to mitigate exposure.
Details
- CWE(s)