CVE-2026-25955

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492	Patch
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500	Patch
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528	Patch
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227	Patch
https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e	Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x	Exploit Mitigation Patch Vendor Advisory
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x	Exploit Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

History

27 Feb 2026, 14:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:freerdp:freerdp::::::::
First Time		Freerdp Freerdp freerdp
References	~~() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492 -~~	() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492 - Patch
References	~~() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500 -~~	() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500 - Patch
References	~~() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528 -~~	() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528 - Patch
References	~~() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227 -~~	() https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227 - Patch
References	~~() https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e -~~	() https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e - Patch
References	~~() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x -~~	() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x - Exploit, Mitigation, Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) FreeRDP es una implementación gratuita del Protocolo de Escritorio Remoto. Antes de la versión 3.23.0, `xf_AppUpdateWindowFromSurface` reutiliza una `XImage` en caché cuyo puntero `data` hace referencia a un búfer de superficie RDPGFX liberado, porque `gdi_DeleteSurface` libera `surface->data` sin invalidar la `appWindow->image` que lo aliasa. La versión 3.23.0 corrige el problema.

26 Feb 2026, 16:24

Type	Values Removed	Values Added
References	~~() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x -~~	() https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x -

25 Feb 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-25 21:16

Updated : 2026-02-27 14:56

NVD link : CVE-2026-25955

Mitre link : CVE-2026-25955

CVE.ORG link : CVE-2026-25955

JSON object : View

Products Affected

freerdp

freerdp

CWE

CWE-416

Use After Free

9.8 /10