CVE-2026-25941 – FreeRDP clients have an out-of-bounds read vuln... (How to Fix)

Q: What is the severity of CVE-2026-25941?

CVE-2026-25941 has a CVSS score of 4.3 (MEDIUM). FreeRDP clients have an out-of-bounds read vulnerability in the RDPGFX channel that allows malicious RDP servers to read uninitialized heap memory. This can lead to information disclosure or client crashes when users connect to compromised servers. All FreeRDP client users on affected versions are at risk.

📋 TL;DR

FreeRDP clients have an out-of-bounds read vulnerability in the RDPGFX channel that allows malicious RDP servers to read uninitialized heap memory. This can lead to information disclosure or client crashes when users connect to compromised servers. All FreeRDP client users on affected versions are at risk.

💻 Affected Systems

Products:

FreeRDP

Versions: 2.x branch prior to 2.11.8, 3.x branch prior to 3.23.0

Operating Systems: All operating systems running FreeRDP client

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects FreeRDP clients when connecting to RDP servers. RDP server implementations are not affected.

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive information disclosure from client memory, potentially including credentials or session data, leading to client crashes and denial of service.

🟠

Likely Case

Information disclosure of uninitialized heap memory, potentially revealing fragments of sensitive data, with possible client crashes disrupting RDP sessions.

🟢

If Mitigated

Limited impact with proper network segmentation and server trust controls, potentially only causing client crashes without data exposure.

🌐 Internet-Facing: MEDIUM - Requires user to connect to malicious server, but RDP clients often connect to untrusted environments.

🏢 Internal Only: LOW - Internal RDP servers are typically trusted, reducing attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the client to connect to a malicious server. No authentication bypass needed as the attack occurs during normal RDP session establishment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.8 for 2.x branch, 3.23.0 for 3.x branch

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8

Restart Required: Yes

Instructions:

1. Update FreeRDP to version 2.11.8 or higher if using 2.x branch. 2. Update FreeRDP to version 3.23.0 or higher if using 3.x branch. 3. Restart any running FreeRDP client processes.

🔧 Temporary Workarounds

Disable RDPGFX channel

all

Disable the RDPGFX channel which contains the vulnerable component

freerdp /gfx:off /v:server

Restrict RDP connections

all

Only allow FreeRDP connections to trusted, verified RDP servers

🧯 If You Can't Patch

Implement network segmentation to restrict FreeRDP client access to trusted RDP servers only
Monitor for abnormal RDP connection attempts and client crashes

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with 'xfreerdp --version' or equivalent command for your platform

Check Version:

xfreerdp --version

Verify Fix Applied:

Verify version is 2.11.8 or higher (2.x branch) or 3.23.0 or higher (3.x branch)

📡 Detection & Monitoring

Log Indicators:

FreeRDP client crashes during RDP connection establishment
Abnormal memory access errors in system logs

Network Indicators:

RDP connections to untrusted or unknown servers
Abnormal RDPGFX channel traffic patterns

SIEM Query:

source="freerdp" AND (event="crash" OR event="error") AND process="xfreerdp"

📊 Metadata

CVE ID: CVE-2026-25941

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-20

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2 Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8 Exploit,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25941, you might also want to check these: