diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-25941.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-25941.patch
new file mode 100644
index 0000000000..8a072b9359
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-25941.patch
@@ -0,0 +1,28 @@
+From 52f2ae7b2377efc80abb742e452a8565372fd29e Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Mon, 9 Feb 2026 13:18:51 +0100
+Subject: [PATCH] [channels,rdpgfx] check available stream length
+
+(cherry picked from commit 2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2)
+
+CVE: CVE-2026-25941
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ channels/rdpgfx/client/rdpgfx_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/channels/rdpgfx/client/rdpgfx_main.c b/channels/rdpgfx/client/rdpgfx_main.c
+index dd59c8b23..c08436b40 100644
+--- a/channels/rdpgfx/client/rdpgfx_main.c
++++ b/channels/rdpgfx/client/rdpgfx_main.c
+@@ -1371,7 +1371,8 @@ static UINT rdpgfx_recv_wire_to_surface_2_pdu(GENERIC_CHANNEL_CALLBACK* callback
+ 	Stream_Read_UINT8(s, pdu.pixelFormat);       /* pixelFormat (1 byte) */
+ 	Stream_Read_UINT32(s, pdu.bitmapDataLength); /* bitmapDataLength (4 bytes) */
+ 	pdu.bitmapData = Stream_Pointer(s);
+-	Stream_Seek(s, pdu.bitmapDataLength);
++	if (!Stream_SafeSeek(s, pdu.bitmapDataLength))
++		return ERROR_INVALID_DATA;
+ 
+ 	DEBUG_RDPGFX(gfx->log,
+ 	             "RecvWireToSurface2Pdu: surfaceId: %" PRIu16 " codecId: %s (0x%04" PRIX16 ") "
diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
index 55cb356be2..f9e6f64e2f 100644
--- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2024-32661.patch \
            file://CVE-2024-32662.patch \
            file://CVE-2025-4478.patch \
+           file://CVE-2026-25941.patch \
            "
 
 S = "${WORKDIR}/git"