CVE-2026-25955

FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (stale XImage)

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.

INFO

Published Date :

2026-02-25T20:32:42.458Z

Last Modified :

2026-02-26T15:54:09.229Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-25955 vulnerability.

Vendors	Products
Freerdp	Freerdp

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25955.

URL	Resource
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1484-L1492
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1494-L1500
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/client/X11/xf_window.c#L1528
https://github.com/FreeRDP/FreeRDP/blob/5c7aae27d0417b42b4806c2a5c583ca39dd9ef1e/libfreerdp/gdi/gfx.c#L1224-L1227
https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
https://nvd.nist.gov/vuln/detail/CVE-2026-25955
https://www.cve.org/CVERecord?id=CVE-2026-25955