CVE-2026-25955 – This is a use-after-free vulnerability in FreeR... (How to Fix)

📋 TL;DR

This is a use-after-free vulnerability in FreeRDP's X11 client where a cached XImage continues to reference freed memory. Attackers could potentially execute arbitrary code or cause denial of service. Users of FreeRDP versions before 3.23.0 are affected.

💻 Affected Systems

Products:

FreeRDP

Versions: All versions prior to 3.23.0

Operating Systems: Linux, Unix-like systems with X11

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects X11 client implementation; Windows clients not affected

📦 What is this software?

Freerdp by Freerdp

View all CVEs affecting Freerdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise of the FreeRDP client machine

🟠

Likely Case

Application crash or denial of service of the FreeRDP client

🟢

If Mitigated

No impact if patched or workarounds applied

🌐 Internet-Facing: MEDIUM - Requires attacker to control RDP server or man-in-the-middle position

🏢 Internal Only: MEDIUM - Internal RDP connections could be exploited by compromised servers

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires control of RDP server or ability to manipulate RDP traffic; memory corruption must be carefully crafted

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.23.0

Vendor Advisory: https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e

Restart Required: Yes

Instructions:

1. Update FreeRDP to version 3.23.0 or later
2. Recompile if using source distribution
3. Restart any FreeRDP client sessions

🔧 Temporary Workarounds

Disable RDP Graphics Pipeline

linux

Disable the RDP graphics pipeline which contains the vulnerable code path

xfreerdp /gfx:off /v:target_server

Use Alternative RDP Client

all

Temporarily use alternative RDP clients like rdesktop or Microsoft RDP client

🧯 If You Can't Patch

Restrict RDP connections to trusted servers only
Implement network segmentation to isolate RDP traffic

🔍 How to Verify

Check if Vulnerable:

Check FreeRDP version with: xfreerdp --version | grep -E '^This.*[0-9]'

Check Version:

xfreerdp --version

Verify Fix Applied:

Confirm version is 3.23.0 or higher: xfreerdp --version

📡 Detection & Monitoring

Log Indicators:

FreeRDP segmentation faults
X11 client crashes with memory access errors

Network Indicators:

Unusual RDP traffic patterns to vulnerable clients

SIEM Query:

process.name:"xfreerdp" AND (event.action:"segmentation fault" OR event.action:"crash")

📊 Metadata

CVE ID: CVE-2026-25955

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492 Patch
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500 Patch
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528 Patch
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227 Patch
https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x Exploit,Mitigation,Patch,Vendor Advisory
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x Exploit,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25955, you might also want to check these: