CVE-2026-25955
- Source
- https://cve.org/CVERecord?id=CVE-2026-25955
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25955.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-25955
- Aliases
-
- GHSA-4g54-x8v7-559x
- Downstream
- Published
- 2026-02-25T20:32:42.458Z
- Modified
- 2026-03-20T12:48:18.084742Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (stale XImage)
- Details
-
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0,
xf_AppUpdateWindowFromSurfacereuses a cachedXImagewhosedatapointer references a freed RDPGFX surface buffer, becausegdi_DeleteSurfacefreessurface->datawithout invalidating theappWindow->imagethat aliases it. Version 3.23.0 fixes the issue. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-416" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25955.json" }- References
-
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528
- https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25955.json
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
- https://nvd.nist.gov/vuln/detail/CVE-2026-25955
- https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e
Affected packages
Git / github.com/freerdp/freerdp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/freerdp/freerdp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0-beta1
1.0-beta2
1.0-beta3
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9
2.*
2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
3.*
3.0.0
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-rc0
3.1.0
3.10.0
3.10.1
3.10.2
3.10.3
3.11.0
3.11.1
3.12.0
3.13.0
3.14.0
3.14.1
3.15.0
3.16.0
3.17.0
3.17.1
3.17.2
3.18.0
3.19.0
3.19.1
3.2.0
3.20.0
3.20.1
3.20.2
3.21.0
3.22.0
3.3.0
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.7.0
3.9.0