CVE-2026-25941

4.3 MEDIUM
Published: February 25, 2026 Modified: February 27, 2026
View on NVD

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2
Source: security-advisories@github.com
Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8
Source: security-advisories@github.com
Exploit Mitigation Patch Vendor Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.3 / 10.0
EPSS (Exploit Probability)
0.1%
26th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-125

Affected Vendors

freerdp

Related CVEs

CVE-2026-4516 6.3
CVE-2019-25572 6.2
CVE-2019-25571 6.2
CVE-2019-25570 5.5
CVE-2019-25569 6.2