VYPR
Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026

FreeRDP has heap-use-after-free in xf_AppUpdateWindowFromSurface (stale XImage)

CVE-2026-25955

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, xf_AppUpdateWindowFromSurface reuses a cached XImage whose data pointer references a freed RDPGFX surface buffer, because gdi_DeleteSurface frees surface->data without invalidating the appWindow->image that aliases it. Version 3.23.0 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.