NIXPKGS-2026-0360

GitHub issue published on 27 Feb 2026

Permalink CVE-2026-25941

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

FreeRDP: vuln_1_15_1 RDPGFX WIRE_TO_SURFACE_2 Out-of-Bounds Read

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.

References

https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2 x_refsource_MISC
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8 x_refsource_CONFIRM

Affected products

FreeRDP

==>= 2.0.0, < 2.11.8
==>= 3.0.0, < 3.23.0

Matching in nixpkgs

pkgs.freerdp

Remote Desktop Protocol Client

nixos-unstable 3.22.0
- nixpkgs-unstable 3.22.0
- nixos-unstable-small 3.22.0
nixos-25.11 3.22.0
- nixos-25.11-small 3.22.0
- nixpkgs-25.11-darwin 3.22.0

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>

Upstream advisory: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8
Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0360

References

Affected products

Matching in nixpkgs

pkgs.freerdp

Package maintainers